Filtered by vendor Sap
Subscribe
Total
1452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-0270 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has been corrected in the following versions: KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.74, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, 7.74, 8.04, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, 7.74, 7.75, 8.04. | |||||
| CVE-2019-0327 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. | |||||
| CVE-2019-0305 | 1 Sap | 1 Netweaver Process Integration | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data. | |||||
| CVE-2019-0284 | 1 Sap | 1 Hana | 2024-02-04 | 3.6 LOW | 6.0 MEDIUM |
| SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files. | |||||
| CVE-2019-0331 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure. | |||||
| CVE-2018-2502 | 1 Sap | 1 Business One On Hana | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3). | |||||
| CVE-2019-0241 | 1 Sap | 2 Agentry Sdk, Work Manager | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Work and Inventory Manager (Agentry_SDK , before 7.0, 7.1) allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2468 | 1 Sap | 1 Adaptive Server Enterprise | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions the backup server in SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0266 | 1 Sap | 1 Hana Extended Application Services | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions SAP HANA Extended Application Services, version 1.0, advanced model (XS advanced) writes credentials of platform users to a trace file of the SAP HANA system. Even though this trace file is protected from unauthorized access, the risk of leaking information is increased. | |||||
| CVE-2018-2462 | 1 Sap | 1 Netweaver | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31. 7.40, 7.41, 7.50, does not sufficiently validate an XML document accepted from an untrusted source. | |||||
| CVE-2018-2503 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 3.3 LOW | 7.4 HIGH |
| By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50). | |||||
| CVE-2018-2497 | 1 Sap | 1 Hana | 2024-02-04 | 4.0 MEDIUM | 2.7 LOW |
| The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT. | |||||
| CVE-2019-0247 | 1 Sap | 1 Cloud Connector | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2018-2466 | 1 Sap | 1 Data Services | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| In Impact and Lineage Analysis in SAP Data Services, version 4.2, the management console does not sufficiently validate user-controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0240 | 1 Sap | 1 Businessobjects Mobile | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Business Objects Mobile for Android (before 6.3.5) application allows an attacker to provide malicious input in the form of a SAP BI link, preventing legitimate users from accessing the application by crashing it. | |||||
| CVE-2018-2482 | 1 Sap | 1 Mobile Secure | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Mobile Secure Android Application, Mobile-secure.apk Android client, before version 6.60.19942.0, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Install the Mobile Secure Android client released in Mid-Oct 2018. | |||||
| CVE-2018-2471 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2018-2492 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 5.5 MEDIUM | 7.1 HIGH |
| SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50. | |||||
| CVE-2018-2469 | 1 Sap | 1 Adaptive Server Enterprise | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2018-2478 | 1 Sap | 1 Basis | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the <sid>adm user. The commands executed depend upon the privileges of the <sid>adm user. | |||||