Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2024-01-09 CVE-2024-21736 Improper Authorization vulnerability in SAP S/4Hana Finance 107/128
SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks.
network
low complexity
sap CWE-285
6.5
2024-01-09 CVE-2024-21737 Code Injection vulnerability in SAP Application Interface Framework 702
In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly.
network
low complexity
sap CWE-94
critical
9.1
2024-01-09 CVE-2024-21738 Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.
network
low complexity
sap CWE-79
5.4
2024-01-09 CVE-2024-22124 Unspecified vulnerability in SAP Netweaver
Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality.
network
low complexity
sap
7.5
2024-01-09 CVE-2024-22125 Unspecified vulnerability in SAP GUI Connector 1.0
Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality.
network
low complexity
sap
7.5
2024-01-09 CVE-2024-21734 Open Redirect vulnerability in SAP Marketing 160
SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.
network
low complexity
sap CWE-601
5.4
2024-01-09 CVE-2024-21735 Incorrect Authorization vulnerability in SAP LT Replication Server
SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks.
network
low complexity
sap CWE-863
7.2
2023-12-12 CVE-2023-50424 Improper Privilege Management vulnerability in SAP Cloud-Security-Client-Go
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges.
network
low complexity
sap CWE-269
critical
9.8
2023-12-12 CVE-2023-49577 Cross-site Scripting vulnerability in SAP Human Capital Management
The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2023-12-12 CVE-2023-49578 Unspecified vulnerability in SAP Cloud Connector 2.0
SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity  of the application.
low complexity
sap
3.5