Filtered by vendor Sap
Subscribe
Total
1521 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6191 | 1 Sap | 1 Landscape Management | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing Input Validation. | |||||
| CVE-2020-6190 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. | |||||
| CVE-2020-6189 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Certain settings page(s) in SAP Business Objects Business Intelligence Platform (CMC), version 4.2, generates error messages that can give enterprise private-network related information which would otherwise be restricted leading to Information Disclosure. | |||||
| CVE-2020-6188 | 1 Sap | 2 Erp, S\/4 Hana | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check. | |||||
| CVE-2020-6187 | 1 Sap | 1 Netweaver Guided Procedures | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. | |||||
| CVE-2020-6186 | 1 Sap | 1 Host Agent | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. | |||||
| CVE-2020-6185 | 1 Sap | 2 Netweaver, S\/4hana | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability. | |||||
| CVE-2020-6184 | 1 Sap | 2 Netweaver, S\/4hana | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6183 | 1 Sap | 1 Host Agent | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g. size of any directory, system hardware and OS details, leading to Missing Authorization Check vulnerability. | |||||
| CVE-2020-6181 | 1 Sap | 2 Abap Platform, Netweaver | 2024-11-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker to include invalidated data in the HTTP response header sent to a Web user, leading to HTTP Response Splitting vulnerability. | |||||
| CVE-2020-6178 | 1 Sap | 1 Enable Now | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure. | |||||
| CVE-2020-6177 | 1 Sap | 1 Mobile Platform | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Since SAP Mobile Platform does not allow External-Entity resolving, there is no issue of leaking content of files on the server. | |||||
| CVE-2020-26838 | 1 Sap | 2 Business Warehouse, Bw\/4hana | 2024-11-21 | 9.0 HIGH | 9.1 CRITICAL |
| SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it. | |||||
| CVE-2020-26837 | 1 Sap | 1 Solution Manager | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable. | |||||
| CVE-2020-26836 | 1 Sap | 1 Solution Manager | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack. | |||||
| CVE-2020-26835 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-26834 | 1 Sap | 1 Hana Database | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| SAP HANA Database, version - 2.0, does not correctly validate the username when performing SAML bearer token-based user authentication. It is possible to manipulate a valid existing SAML bearer token to authenticate as a user whose name is identical to the truncated username for whom the SAML bearer token was issued. | |||||
| CVE-2020-26832 | 1 Sap | 2 Netweaver Application Server Abap, S\/4 Hana | 2024-11-21 | 7.5 HIGH | 7.6 HIGH |
| SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable. | |||||
| CVE-2020-26831 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 5.5 MEDIUM | 9.6 CRITICAL |
| SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS). | |||||
| CVE-2020-26830 | 1 Sap | 1 Solution Manager | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script. | |||||