Filtered by vendor Sap
Subscribe
Total
1485 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2002-1576 | 1 Sap | 1 Sap Db | 2024-11-20 | 7.2 HIGH | N/A |
| lserver in SAP DB 7.3 and earlier uses the current working directory to find and execute the lserversrv program, which allows local users to gain privileges with a malicious lserversrv that is called from a directory that has a symlink to the lserver program. | |||||
| CVE-2001-0366 | 1 Sap | 2 Sap R 3 Web Application Server Demo, Saposcol | 2024-11-20 | 7.2 HIGH | N/A |
| saposcol in SAP R/3 Web Application Server Demo before 1.5 trusts the PATH environmental variable to find and execute the expand program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse expand program. | |||||
| CVE-2024-45282 | 1 Sap | 1 S\/4 Hana | 2024-11-14 | N/A | 5.3 MEDIUM |
| Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted. | |||||
| CVE-2024-45277 | 1 Sap | 1 Hana-client | 2024-11-14 | N/A | 4.3 MEDIUM |
| The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity. | |||||
| CVE-2024-37179 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-14 | N/A | 6.5 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. | |||||
| CVE-2024-45278 | 1 Sap | 1 Commerce Backoffice | 2024-11-14 | N/A | 5.4 MEDIUM |
| SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | |||||
| CVE-2024-47594 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-11-14 | N/A | 5.4 MEDIUM |
| SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised. | |||||
| CVE-2024-47595 | 1 Sap | 1 Host Agent | 2024-11-14 | N/A | 7.1 HIGH |
| An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application. | |||||
| CVE-2024-42374 | 1 Sap | 1 Bex Web Java Runtime Export Web Service | 2024-09-16 | N/A | 8.2 HIGH |
| BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application. | |||||
| CVE-2024-33003 | 1 Sap | 1 Commerce Cloud | 2024-09-16 | N/A | 9.1 CRITICAL |
| Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application. | |||||
| CVE-2024-44112 | 1 Sap | 1 Oil \%\/ Gas | 2024-09-16 | N/A | 4.3 MEDIUM |
| Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability. | |||||
| CVE-2024-41728 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-16 | N/A | 2.7 LOW |
| Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects. | |||||
| CVE-2024-44114 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-16 | N/A | 2.7 LOW |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application. | |||||
| CVE-2024-33005 | 1 Sap | 4 Content Server, Netweaver Abap, Netweaver Java and 1 more | 2024-09-12 | N/A | 6.3 MEDIUM |
| Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications. | |||||
| CVE-2024-41730 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-09-12 | N/A | 9.8 CRITICAL |
| In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability. | |||||
| CVE-2024-41733 | 1 Sap | 1 Commerce | 2024-09-12 | N/A | 5.3 MEDIUM |
| In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker must already know the e-mail that they wish to test for. The impact on confidentiality therefore is low and no impact to integrity or availability | |||||
| CVE-2024-41735 | 1 Sap | 1 Commerce Backoffice | 2024-09-12 | N/A | 5.4 MEDIUM |
| SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application. | |||||
| CVE-2024-41736 | 1 Sap | 1 Permit To Work | 2024-09-12 | N/A | 4.3 MEDIUM |
| Under certain conditions SAP Permit to Work allows an authenticated attacker to access information which would otherwise be restricted causing low impact on the confidentiality of the application. | |||||
| CVE-2024-41737 | 1 Sap | 1 Crm Abap Insights Management | 2024-09-12 | N/A | 5.0 MEDIUM |
| SAP CRM ABAP (Insights Management) allows an authenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application. | |||||
| CVE-2024-42376 | 1 Sap | 1 Shared Service Framework | 2024-09-12 | N/A | 6.5 MEDIUM |
| SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application. | |||||