Filtered by vendor Sap
Subscriptions
Total
1483 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-24739 | 1 Sap | 1 Bank Account Management | 2024-10-16 | 6.3 Medium |
| SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application. | ||||
| CVE-2024-24740 | 1 Sap | 1 Netweaver Application Server Abap | 2024-10-16 | 5.3 Medium |
| SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application. | ||||
| CVE-2024-24742 | 1 Sap | 1 Crm - Webclient Ui | 2024-10-16 | 4.1 Medium |
| SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability. | ||||
| CVE-2024-25642 | 1 Sap | 1 Cloud Connector | 2024-10-16 | 7.4 High |
| Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system. | ||||
| CVE-2024-22129 | 1 Sap | 1 Companion | 2024-10-16 | 5.4 Medium |
| SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application. | ||||
| CVE-2024-24741 | 1 Sap | 1 Master Data Governance For Material Data | 2024-10-16 | 4.3 Medium |
| SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability. | ||||
| CVE-2024-25643 | 1 Sap | 1 Fiori | 2024-10-16 | 4.3 Medium |
| The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability. | ||||
| CVE-2023-39436 | 1 Sap | 1 Supplier Relationship Management | 2024-10-15 | 5.8 Medium |
| SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM. | ||||
| CVE-2018-2378 | 1 Sap | 1 Hana Extended Application Services | 2024-10-15 | N/A |
| In SAP HANA Extended Application Services, 1.0, unauthorized users can read statistical data about deployed applications including resource consumption. | ||||
| CVE-2023-39437 | 1 Sap | 1 Business One | 2024-10-11 | 7.6 High |
| SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application. | ||||
| CVE-2023-37484 | 1 Sap | 1 Powerdesigner | 2024-10-10 | 5.3 Medium |
| SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory. | ||||
| CVE-2023-37487 | 1 Sap | 1 Business One | 2024-10-10 | 5.3 Medium |
| SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application | ||||
| CVE-2023-33993 | 1 Sap | 1 Business One | 2024-10-10 | 7.1 High |
| B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and availability of the application. | ||||
| CVE-2023-36923 | 1 Sap | 1 Powerdesigner | 2024-10-10 | 7.8 High |
| SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application. | ||||
| CVE-2023-36926 | 1 Sap | 1 Host Agent | 2024-10-10 | 3.7 Low |
| Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read functions. This allows the attacker to gather some non-sensitive information about the server. There is no impact on integrity or availability. | ||||
| CVE-2023-37483 | 1 Sap | 1 Powerdesigner | 2024-10-10 | 9.8 Critical |
| SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. | ||||
| CVE-2023-37488 | 1 Sap | 1 Netweaver Process Integration | 2024-10-10 | 6.1 Medium |
| In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system. | ||||
| CVE-2024-22126 | 1 Sap | 1 Netweaver Application Server Java | 2024-10-10 | 8.8 High |
| The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability. | ||||
| CVE-2023-49578 | 1 Sap | 1 Cloud Connector | 2024-10-09 | 3.5 Low |
| SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity of the application. | ||||
| CVE-2023-39438 | 1 Sap | 1 Contributor License Agreement Assistant | 2024-10-08 | 8.1 High |
| A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as well as custom fields the CLA requester had configured. In addition, an arbitrary authenticated user can update or delete the CLA-configuration for repositories or organizations using CLA-assistant. The stored access tokens for GitHub are not affected, as these are redacted from the API-responses. | ||||