Filtered by vendor Sap
Subscriptions
Total
1493 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-6211 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 6.1 Medium |
| SAP Business Objects Business Intelligence Platform (AdminTools), versions 4.1, 4.2, allows an attacker to redirect users to a malicious site due to insufficient URL validation and steal credentials of the victim, leading to URL Redirection vulnerability. | ||||
| CVE-2020-6197 | 1 Sap | 1 Enable Now | 2024-08-04 | 3.3 Low |
| SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables. | ||||
| CVE-2020-6188 | 1 Sap | 2 Erp, S\/4 Hana | 2024-08-04 | 8.8 High |
| VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check. | ||||
| CVE-2020-6214 | 1 Sap | 1 S\/4hana | 2024-08-04 | 4.7 Medium |
| SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an authenticated attacker to view, change, or delete data, thereby preventing the proper segregation of duties in the system. | ||||
| CVE-2020-6206 | 1 Sap | 1 Cloud Platform Integration | 2024-08-04 | 4.3 Medium |
| SAP Cloud Platform Integration for Data Services, version 1.0, allows user inputs to be reflected as error or warning massages. This could mislead the victim to follow malicious instructions inserted by external attackers, leading to Cross Site Request Forgery. | ||||
| CVE-2020-6209 | 1 Sap | 1 Disclosure Management | 2024-08-04 | 7.5 High |
| SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an authenticated user, allowing access to administration accounts by a user with no roles, leading to Missing Authorization Check. | ||||
| CVE-2020-6208 | 1 Sap | 1 Crystal Reports | 2024-08-04 | 8.2 High |
| SAP Business Objects Business Intelligence Platform (Crystal Reports), versions- 4.1, 4.2, allows an attacker with basic authorization to inject code that can be executed by the application and thus allowing the attacker to control the behaviour of the application, leading to Remote Code Execution. Although the mode of attack is only Local, multiple applications can be impacted as a result of the vulnerability. | ||||
| CVE-2020-6190 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 5.8 Medium |
| Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. | ||||
| CVE-2020-6202 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 7.2 High |
| SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation. | ||||
| CVE-2020-6200 | 1 Sap | 1 Commerce Cloud | 2024-08-04 | 5.4 Medium |
| The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework. | ||||
| CVE-2020-6186 | 1 Sap | 1 Host Agent | 2024-08-04 | 7.5 High |
| SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. | ||||
| CVE-2020-6203 | 1 Sap | 1 Netweaver | 2024-08-04 | 9.1 Critical |
| SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs, leading to Path Traversal. | ||||
| CVE-2020-6205 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2024-08-04 | 6.1 Medium |
| SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content and/or steal authentication information of the user and/or impersonate the user and access all information with the same rights as the target user, leading to Reflected Cross Site Scripting Vulnerability. | ||||
| CVE-2020-6216 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 6.1 Medium |
| SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2020-6210 | 1 Sap | 1 Fiori Launchpad | 2024-08-04 | 6.1 Medium |
| SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode user-controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, leading to reflected Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2020-6187 | 1 Sap | 1 Netweaver Guided Procedures | 2024-08-04 | 4.9 Medium |
| SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. | ||||
| CVE-2020-6177 | 1 Sap | 1 Mobile Platform | 2024-08-04 | 4.3 Medium |
| SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Since SAP Mobile Platform does not allow External-Entity resolving, there is no issue of leaking content of files on the server. | ||||
| CVE-2021-44232 | 1 Sap | 1 Saf-t Framework | 2024-08-04 | 7.7 High |
| SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server. | ||||
| CVE-2021-44233 | 1 Sap | 1 Access Control | 2024-08-04 | 8.8 High |
| SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, does not perform necessary authorization checks for an authenticated user, which could lead to escalation of privileges. | ||||
| CVE-2021-44234 | 1 Sap | 1 Business One | 2024-08-04 | 5.5 Medium |
| SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. | ||||