Filtered by vendor Sap
Subscriptions
Total
1620 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-15297 | 1 Sap | 1 Host Agent | 2025-04-20 | N/A |
| SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993. | ||||
| CVE-2017-16679 | 1 Sap | 1 Sap Kernel | 2025-04-20 | N/A |
| URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site. | ||||
| CVE-2017-16683 | 1 Sap | 1 Businessobjects | 2025-04-20 | N/A |
| Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service. | ||||
| CVE-2017-16684 | 1 Sap | 1 Business Intelligence Promotion Management Application | 2025-04-20 | N/A |
| SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity. | ||||
| CVE-2017-16687 | 1 Sap | 1 Hana Database | 2025-04-20 | N/A |
| The user self-service tools of SAP HANA extended application services, classic user self-service, a part of SAP HANA Database versions 1.00 and 2.00, can be misused to enumerate valid and invalid user accounts. An unauthenticated user could use the error messages to determine if a given username is valid. | ||||
| CVE-2017-15294 | 1 Sap | 1 Customer Relationship Management | 2025-04-20 | N/A |
| The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. | ||||
| CVE-2016-10310 | 1 Sap | 1 Sql Anywhere | 2025-04-20 | N/A |
| Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service (resource consumption and process crash) by sending a crafted packet several times, aka SAP Security Note 2308778. | ||||
| CVE-2017-6950 | 1 Sap | 1 Gui For Windows | 2025-04-20 | N/A |
| SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616. | ||||
| CVE-2017-16689 | 1 Sap | 1 Sap Kernel | 2025-04-20 | N/A |
| A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined. | ||||
| CVE-2017-16678 | 1 Sap | 4 Epbc, Epbc2, Kmc-bc and 1 more | 2025-04-20 | N/A |
| Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application. | ||||
| CVE-2016-10304 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-20 | 6.5 Medium |
| The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | ||||
| CVE-2017-5372 | 1 Sap | 1 Netweaver | 2025-04-20 | N/A |
| The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908. | ||||
| CVE-2022-41275 | 1 Sap | 1 Solution Manager | 2025-04-18 | 6.1 Medium |
| In SAP Solution Manager (Enterprise Search) - versions 740, and 750, an unauthenticated attacker can generate a link that, if clicked by a logged-in user, can be redirected to a malicious page that could read or modify sensitive information, or expose the user to a phishing attack, with little impact on confidentiality and integrity. | ||||
| CVE-2024-21736 | 1 Sap | 1 S\/4hana Finance | 2025-04-17 | 6.4 Medium |
| SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application. | ||||
| CVE-2024-27900 | 1 Sap | 1 Abap Platform | 2025-04-16 | 4.3 Medium |
| Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. As a result, the selected template would only be accessible to the owner. | ||||
| CVE-2015-8840 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-12 | 8.8 High |
| The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | ||||
| CVE-2014-8315 | 1 Sap | 1 Businessobjects Explorer | 2025-04-12 | N/A |
| polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter. | ||||
| CVE-2016-1910 | 1 Sap | 1 Netweaver | 2025-04-12 | N/A |
| The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. | ||||
| CVE-2015-8329 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2025-04-12 | N/A |
| SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) uses weak encryption (Base64 and DES), which allows attackers to conduct downgrade attacks and decrypt passwords via unspecified vectors, aka SAP Security Note 2240274. | ||||
| CVE-2016-1911 | 1 Sap | 1 Netweaver | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Notes 2206793 and 2234918. | ||||