Filtered by vendor Sap
Subscriptions
Total
1493 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-22538 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-08-03 | 6.5 Medium |
| When a user opens a manipulated Adobe Illustrator file format (.ai, ai.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. The file format details along with their CVE relevant information can be found below. | ||||
| CVE-2022-22530 | 1 Sap | 1 S\/4hana | 2024-08-03 | 8.1 High |
| The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application. | ||||
| CVE-2022-22531 | 1 Sap | 1 S\/4hana | 2024-08-03 | 8.1 High |
| The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified. | ||||
| CVE-2023-49587 | 1 Sap | 1 Solution Manager | 2024-08-02 | 6.4 Medium |
| SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over the network. | ||||
| CVE-2023-49581 | 1 Sap | 1 Netweaver Application Server Abap | 2024-08-02 | 4.1 Medium |
| SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability. | ||||
| CVE-2023-49584 | 1 Sap | 1 Fiori Launchpad | 2024-08-02 | 4.3 Medium |
| SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application. | ||||
| CVE-2023-49577 | 1 Sap | 1 Human Capital Management | 2024-08-02 | 6.1 Medium |
| The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | ||||
| CVE-2023-49058 | 1 Sap | 1 Master Data Governance | 2024-08-02 | 3.5 Low |
| SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality. | ||||
| CVE-2023-42476 | 1 Sap | 1 Businessobjects Web Intelligence | 2024-08-02 | 6.8 Medium |
| SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited. Successful exploitation can lead to exposure of the data that the user has access to. In the worst case, attacker could access data from reporting databases. | ||||
| CVE-2023-42479 | 1 Sap | 1 Biller Direct | 2024-08-02 | 6.1 Medium |
| An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information. | ||||
| CVE-2023-42478 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-08-02 | 7.5 High |
| SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application. | ||||
| CVE-2023-42473 | 1 Sap | 1 S\/4hana | 2024-08-02 | 5.4 Medium |
| S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application. | ||||
| CVE-2023-37490 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-08-02 | 7.6 High |
| SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system | ||||
| CVE-2023-36922 | 1 Sap | 1 Netweaver | 2024-08-02 | 9.1 Critical |
| Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system. | ||||
| CVE-2023-33986 | 1 Sap | 1 Customer Relationship Management Abap | 2024-08-02 | 6.1 Medium |
| SAP CRM ABAP (Grantor Management) - versions 700, 701, 702, 712, 713, 714, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | ||||
| CVE-2023-33991 | 1 Sap | 1 Ui | 2024-08-02 | 8.2 High |
| SAP UI5 Variant Management - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability. After successful exploitation, an attacker with user level access can cause high impact on confidentiality, modify some information and can cause unavailability of the application at user level. | ||||
| CVE-2023-33987 | 1 Sap | 1 Web Dispatcher | 2024-08-02 | 8.6 High |
| An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify information on the server or make it temporarily unavailable. | ||||
| CVE-2023-33984 | 1 Sap | 1 Netweaver | 2024-08-02 | 6.4 Medium |
| SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability. | ||||
| CVE-2023-33985 | 1 Sap | 1 Netweaver | 2024-08-02 | 6.1 Medium |
| SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | ||||
| CVE-2023-32115 | 1 Sap | 1 Master Data Synchronization | 2024-08-02 | 4.2 Medium |
| An attacker can exploit MDS COMPARE TOOL and use specially crafted inputs to read and modify database commands, resulting in the retrieval of additional information persisted by the system. | ||||