Filtered by vendor Sap Subscriptions
Total 1493 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-39440 1 Sap 1 Businessobjects Business Intelligence 2024-11-21 4.4 Medium
In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials. For a successful attack, the attacker needs to have local access to the system. There is no impact on availability and integrity.
CVE-2023-39439 1 Sap 2 Commerce Cloud, Commerce Hycom 2024-11-21 8.8 High
SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
CVE-2023-39438 1 Sap 1 Contributor License Agreement Assistant 2024-11-21 8.1 High
A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as well as custom fields the CLA requester had configured. In addition, an arbitrary authenticated user can update or delete the CLA-configuration for repositories or organizations using CLA-assistant. The stored access tokens for GitHub are not affected, as these are redacted from the API-responses.
CVE-2023-39437 1 Sap 1 Business One 2024-11-21 7.6 High
SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application.
CVE-2023-39436 1 Sap 1 Supplier Relationship Management 2024-11-21 5.8 Medium
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.
CVE-2023-37492 1 Sap 1 Netweaver Application Server Abap 2024-11-21 4.9 Medium
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack.
CVE-2023-37491 1 Sap 1 Message Server 2024-11-21 7.5 High
The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. This may lead to unauthorized read and write of data as well as rendering the system unavailable.
CVE-2023-37490 1 Sap 1 Businessobjects Business Intelligence 2024-11-21 7.6 High
SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system
CVE-2023-37489 1 Sap 1 Businessobjects Business Intelligence 2024-11-21 5.3 Medium
Due to the lack of validation, SAP BusinessObjects Business Intelligence Platform (Version Management System) - version 403, permits an unauthenticated user to read the code snippet through the UI, which leads to low impact on confidentiality and no impact on the application's availability or integrity.
CVE-2023-37488 1 Sap 1 Netweaver Process Integration 2024-11-21 6.1 Medium
In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system.
CVE-2023-37487 1 Sap 1 Business One 2024-11-21 5.3 Medium
SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application
CVE-2023-37486 1 Sap 2 Commerce Cloud, Commerce Hycom 2024-11-21 5.9 Medium
Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on confidentiality with no impact on integrity and availability of the application.
CVE-2023-37484 1 Sap 1 Powerdesigner 2024-11-21 5.3 Medium
SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory.
CVE-2023-37483 1 Sap 1 Powerdesigner 2024-11-21 9.8 Critical
SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy.
CVE-2023-36926 1 Sap 1 Host Agent 2024-11-21 3.7 Low
Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read functions. This allows the attacker to gather some non-sensitive information about the server.  There is no impact on integrity or availability.
CVE-2023-36925 1 Sap 1 Solution Manager 2024-11-21 7.2 High
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach.
CVE-2023-36924 1 Sap 1 Erp Defense Forces And Public Security 2024-11-21 4.9 Medium
While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.
CVE-2023-36923 1 Sap 1 Powerdesigner 2024-11-21 7.8 High
SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application.
CVE-2023-36922 1 Sap 1 Netweaver 2024-11-21 9.1 Critical
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.  On successful exploitation, the attacker can read or modify the system data as well as shut down the system.
CVE-2023-36921 1 Sap 1 Solution Manager 2024-11-21 7.2 High
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application.