Filtered by vendor Sap
Subscriptions
Total
1493 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-15297 | 1 Sap | 1 Host Agent | 2024-08-05 | N/A |
| SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993. | ||||
| CVE-2017-15293 | 1 Sap | 1 Point Of Sale Xpress Server | 2024-08-05 | N/A |
| Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064. | ||||
| CVE-2017-15295 | 1 Sap | 1 Point Of Sale Xpress Server | 2024-08-05 | N/A |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | ||||
| CVE-2017-15294 | 1 Sap | 1 Customer Relationship Management | 2024-08-05 | N/A |
| The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. | ||||
| CVE-2017-15296 | 1 Sap | 1 Customer Relationship Management | 2024-08-05 | N/A |
| The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. | ||||
| CVE-2017-14581 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-05 | 7.5 High |
| The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. | ||||
| CVE-2017-14511 | 1 Sap | 1 E-recruiting | 2024-08-05 | N/A |
| An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through 617. When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers can register and confirm email addresses that they do not have access to (candidate_hrobject is predictable and corr_act_guid is improperly validated). Furthermore, since an email address can be registered only once, an attacker could prevent other legitimate users from registering. This is SAP Security Note 2507798. | ||||
| CVE-2017-14516 | 1 Sap | 1 Businessobjects Financial Consolidation | 2024-08-05 | N/A |
| Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Consolidation before 2017-06-13, aka SAP Security Note 2422292. | ||||
| CVE-2017-12637 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-05 | 7.5 High |
| Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. | ||||
| CVE-2017-11457 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-05 | 6.5 Medium |
| XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. | ||||
| CVE-2017-11460 | 1 Sap | 1 Netweaver Portal | 2024-08-05 | N/A |
| Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535. | ||||
| CVE-2017-11458 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-05 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. | ||||
| CVE-2017-11459 | 1 Sap | 1 Trex | 2024-08-05 | N/A |
| SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592. | ||||
| CVE-2017-10701 | 1 Sap | 1 Enterprise Portal | 2024-08-05 | N/A |
| Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516. | ||||
| CVE-2017-9843 | 1 Sap | 1 Netweaver Abap | 2024-08-05 | 2.7 Low |
| SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service (process crash) via vectors involving disp+work.exe, aka SAP Security Note 2406841. | ||||
| CVE-2017-9844 | 1 Sap | 1 Netweaver | 2024-08-05 | N/A |
| SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. | ||||
| CVE-2017-9845 | 1 Sap | 1 Netweaver | 2024-08-05 | N/A |
| disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918. | ||||
| CVE-2017-9613 | 1 Sap | 1 Successfactors | 2024-08-05 | N/A |
| Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality. | ||||
| CVE-2017-8913 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-05 | 8.8 High |
| The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | ||||
| CVE-2017-8914 | 1 Sap | 1 Hana Xs | 2024-08-05 | N/A |
| sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. | ||||