Filtered by vendor Sap
Subscriptions
Total
1493 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-21451 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-08-03 | 8.8 High |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SGI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | ||||
| CVE-2021-21449 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-08-03 | 8.8 High |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | ||||
| CVE-2021-21487 | 1 Sap | 1 Payment Engine | 2024-08-03 | 8.8 High |
| SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | ||||
| CVE-2021-21465 | 1 Sap | 1 Business Warehouse | 2024-08-03 | 9.9 Critical |
| The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system. | ||||
| CVE-2021-21466 | 1 Sap | 2 Business Warehouse, Bw\/4hana | 2024-08-03 | 8.8 High |
| SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service. | ||||
| CVE-2021-21477 | 1 Sap | 1 Commerce | 2024-08-03 | 9.9 Critical |
| SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application. | ||||
| CVE-2021-21471 | 1 Sap | 1 Cla-assistant | 2024-08-03 | 6.5 Medium |
| In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. This could impact the integrity of the application. | ||||
| CVE-2021-21446 | 1 Sap | 1 Netweaver Application Server Abap | 2024-08-03 | 7.5 High |
| SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service. | ||||
| CVE-2021-21475 | 1 Sap | 1 Netweaver Master Data Management Server | 2024-08-03 | 7.5 High |
| Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs. Due to this Directory Traversal vulnerability the attacker could read content of arbitrary files on the remote server and expose sensitive data. | ||||
| CVE-2021-21454 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-08-03 | 8.8 High |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | ||||
| CVE-2021-21448 | 1 Sap | 1 Graphical User Interface | 2024-08-03 | 6.5 Medium |
| SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. Under certain conditions the attacker can access information which would otherwise be restricted. The exploit can only be executed locally on the client PC and not via Network and the attacker needs at least user authorization of the Operating System user of the victim. | ||||
| CVE-2021-21470 | 1 Sap | 1 Enterprise Performance Management | 2024-08-03 | 4.4 Medium |
| SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application. | ||||
| CVE-2021-21456 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-08-03 | 8.8 High |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | ||||
| CVE-2021-21445 | 1 Sap | 1 Commerce Cloud | 2024-08-03 | 5.4 Medium |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking. | ||||
| CVE-2021-21447 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-08-03 | 5.4 Medium |
| SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting. | ||||
| CVE-2021-21444 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-08-03 | 6.1 Medium |
| SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking attack. | ||||
| CVE-2022-41275 | 1 Sap | 1 Solution Manager | 2024-08-03 | 6.1 Medium |
| In SAP Solution Manager (Enterprise Search) - versions 740, and 750, an unauthenticated attacker can generate a link that, if clicked by a logged-in user, can be redirected to a malicious page that could read or modify sensitive information, or expose the user to a phishing attack, with little impact on confidentiality and integrity. | ||||
| CVE-2022-41263 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-08-03 | 4.3 Medium |
| Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application. | ||||
| CVE-2022-41267 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-08-03 | 9.9 Critical |
| SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Objects server at the operating system level, enabling the attacker to take full control of the system causing a high impact on confidentiality, integrity, and availability of the application. | ||||
| CVE-2022-41266 | 1 Sap | 1 Commerce Webservices 2.0 | 2024-08-03 | 8 High |
| Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce. | ||||