Search
Search Results (19 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-42941 | 1 Sap | 1 Fiori Launchpad | 2025-08-12 | 3.5 Low |
| SAP Fiori (Launchpad) is vulnerable to Reverse Tabnabbing vulnerability due to inadequate external navigation protections for its link (<a>) elements. An attacker with administrative user privileges could exploit this by leveraging compromised or malicious pages. While administrative access is necessary for certain configurations, the attacker does not need the administrative privileges to execute the attack. This could result in unintended manipulation of user sessions or exposure of sensitive information. The issue impacts the confidentiality and integrity of the system, but the availability remains unaffected. | ||||
| CVE-2023-49584 | 1 Sap | 1 Fiori Launchpad | 2025-05-24 | 4.3 Medium |
| SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application. | ||||
| CVE-2023-24528 | 1 Sap | 1 Fiori | 2025-03-20 | 6.5 Medium |
| SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents. | ||||
| CVE-2024-22133 | 1 Sap | 1 Fiori Front End Server | 2025-02-26 | 4.6 Medium |
| SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application. | ||||
| CVE-2024-25643 | 1 Sap | 1 Fiori | 2024-11-21 | 4.3 Medium |
| The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability. | ||||
| CVE-2022-26101 | 1 Sap | 1 Fiori Launchpad | 2024-11-21 | 6.1 Medium |
| Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2021-33699 | 1 Sap | 1 Fiori Client | 2024-11-21 | 6.5 Medium |
| Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unauthorized attacker or malware to takeover legitimate apps and to steal user's sensitive information. | ||||
| CVE-2021-27605 | 1 Sap | 1 Fiori Apps 2.0 For Travel Management In Sap Erp | 2024-11-21 | 4.3 Medium |
| SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. | ||||
| CVE-2020-6283 | 1 Sap | 1 Fiori Launchpad | 2024-11-21 | 6.1 Medium |
| SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session. | ||||
| CVE-2020-6266 | 1 Sap | 1 Fiori | 2024-11-21 | 5.4 Medium |
| SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection. | ||||
| CVE-2020-6210 | 1 Sap | 1 Fiori Launchpad | 2024-11-21 | 6.1 Medium |
| SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode user-controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, leading to reflected Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2020-26825 | 1 Sap | 1 Fiori Launchpad \(news Tile Application\) | 2024-11-21 | 6.1 Medium |
| SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. Information maintained in the victim's web browser can be read, modified, and sent to the attacker. The malicious code cannot significantly impact the victim's browser and the victim can easily close the browser tab to terminate it. | ||||
| CVE-2020-26815 | 1 Sap | 1 Fiori Launchpad \(news Tile Application\) | 2024-11-21 | 8.6 High |
| SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network to retrieve sensitive / confidential resources which are otherwise restricted for internal usage only, resulting in a Server-Side Request Forgery vulnerability. | ||||
| CVE-2018-2491 | 1 Sap | 1 Fiori Client | 2024-11-21 | N/A |
| When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps on the hyperlink in the viewer. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | ||||
| CVE-2018-2490 | 1 Sap | 1 Fiori Client | 2024-11-21 | N/A |
| The broadcast messages received by SAP Fiori Client are not protected by permissions. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | ||||
| CVE-2018-2489 | 1 Sap | 1 Fiori Client | 2024-11-21 | N/A |
| Locally, without any permission, an arbitrary android application could delete the SSO configuration of SAP Fiori Client. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | ||||
| CVE-2018-2488 | 1 Sap | 1 Fiori Client | 2024-11-21 | N/A |
| It is possible for a malware application installed on an Android device to send local push notifications with an empty message to SAP Fiori Client and cause the application to crash. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | ||||
| CVE-2018-2485 | 1 Sap | 1 Fiori Client | 2024-11-21 | N/A |
| It is possible for a malicious application or malware to execute JavaScript in a SAP Fiori application. This can include reading and writing of information and calling device specific JavaScript APIs in the application. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | ||||
| CVE-2018-2474 | 1 Sap | 1 Fiori | 2024-11-21 | N/A |
| SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection. | ||||
Page 1 of 1.