Filtered by vendor Sap
Subscribe
Total
1494 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16691 | 1 Sap | 1 Business Application Software Integrated Solution | 2025-04-20 | 5.8 MEDIUM | 6.5 MEDIUM |
| SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted. | |||||
| CVE-2017-11459 | 1 Sap | 1 Trex | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592. | |||||
| CVE-2017-16679 | 1 Sap | 1 Sap Kernel | 2025-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site. | |||||
| CVE-2017-16685 | 1 Sap | 1 Business Warehouse Universal Data Integration | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data Integration, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to insufficient encoding of user controlled inputs. | |||||
| CVE-2017-16690 | 1 Sap | 1 Plant Connectivity | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| A malicious DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity 2.3 and 15.0. It is possible that SAPSetup / NwSapSetup.exe loads system DLLs like DWMAPI.dll (located in your Syswow64 / System32 folder) from the folder the executable is in and not from the system location. The desired behavior is that system dlls are only loaded from the system folders. If a dll with the same name as the system dll is located in the same folder as the executable, this dll is loaded and code is executed. | |||||
| CVE-2017-15295 | 1 Sap | 1 Point Of Sale Xpress Server | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | |||||
| CVE-2017-15293 | 1 Sap | 1 Point Of Sale Xpress Server | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064. | |||||
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |||||
| CVE-2017-8915 | 1 Sap | 1 Hana Xs | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to cause a denial of service (assertion failure and service crash) by pushing a package with a filename containing a $ (dollar sign) or % (percent) character, aka SAP Security Note 2407694. | |||||
| CVE-2016-6256 | 1 Sap | 1 Business One | 2025-04-20 | 6.8 MEDIUM | 9.6 CRITICAL |
| SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065. | |||||
| CVE-2017-12637 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. | |||||
| CVE-2014-8588 | 1 Sap | 1 Hana | 2025-04-12 | 7.5 HIGH | N/A |
| SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.379371 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2014-8666 | 1 Sap | 1 Business Intelligence Development Workbench | 2025-04-12 | 5.0 MEDIUM | N/A |
| The User & Server configuration, InfoView refresh, user rights (BI-BIP-ADM) component in SAP Business Intellignece allows remote attackers to obtain audit event details via unspecified vectors. | |||||
| CVE-2015-7828 | 1 Sap | 1 Hana | 2025-04-12 | 10.0 HIGH | N/A |
| SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583. | |||||
| CVE-2014-8312 | 1 Sap | 1 Netweaver Abap | 2025-04-12 | 3.5 LOW | N/A |
| Business Warehouse (BW) in SAP Netweaver AS ABAP 7.31 allows remote authenticated users to obtain sensitive information via a request to the RSDU_CCMS_GET_PROFILE_PARAM RFC function. | |||||
| CVE-2015-7727 | 1 Sap | 1 Hana | 2025-04-12 | 6.5 MEDIUM | N/A |
| Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors in the (1) trace configuration page or (2) getSqlTraceConfiguration function, aka SAP Security Note 2153898. | |||||
| CVE-2016-4015 | 1 Sap | 1 Netweaver | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784. | |||||
| CVE-2016-3685 | 3 Apple, Microsoft, Sap | 3 Macos, Windows, Download Manager | 2025-04-12 | 1.9 LOW | 4.7 MEDIUM |
| SAP Download Manager 2.1.142 and earlier generates an encryption key from a small key space on Windows and Mac systems, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of a hardcoded key in the program code and a computer BIOS serial number, aka SAP Security Note 2282338. | |||||
| CVE-2015-4091 | 1 Sap | 1 Sap Netweaver Application Server Java | 2025-04-12 | 7.5 HIGH | N/A |
| XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851. | |||||
| CVE-2014-8667 | 1 Sap | 1 Hana Web-based Development Workbench | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||