Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2018-02-14 CVE-2018-2371 Cross-site Scripting vulnerability in SAP Netweaver Java web Application 7.50
The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2018-02-14 CVE-2018-2370 Server-Side Request Forgery (SSRF) vulnerability in SAP BI Launchpad 4.10/4.20/4.30
Server Side Request Forgery (SSRF) vulnerability in SAP Central Management Console, BI Launchpad and Fiori BI Launchpad, 4.10, from 4.20, from 4.30, could allow a malicious user to use common techniques to determine which ports are in use on the backend server.
network
low complexity
sap CWE-918
5.3
2018-02-14 CVE-2018-2369 Unspecified vulnerability in SAP Hana 1.00/2.00
Under certain conditions SAP HANA, 1.00, 2.00, allows an unauthenticated attacker to access information which would otherwise be restricted.
network
low complexity
sap
5.3
2018-02-14 CVE-2018-2364 Cross-site Scripting vulnerability in SAP products
SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2018-01-09 CVE-2018-2363 Code Injection vulnerability in SAP products
SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice.
network
low complexity
sap CWE-94
8.8
2018-01-09 CVE-2018-2362 Unspecified vulnerability in SAP Hana 1.00/2.00
A remote unauthenticated attacker, SAP HANA 1.00 and 2.00, could send specially crafted SOAP requests to the SAP Startup Service and disclose information such as the platform's hostname.
network
low complexity
sap
5.3
2018-01-09 CVE-2018-2361 Incorrect Authorization vulnerability in SAP Solution Manager 7.20
In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools.
network
low complexity
sap CWE-863
8.8
2018-01-09 CVE-2018-2360 Missing Authentication for Critical Function vulnerability in SAP Kernel 7.45/7.49/7.52
SAP Startup Service, SAP KERNEL 7.45, 7.49, and 7.52, is missing an authentication check for functionalities that require user identity and cause consumption of file system storage.
network
low complexity
sap CWE-306
7.5
2017-12-12 CVE-2017-16691 Improper Input Validation vulnerability in SAP Business Application Software Integrated Solution
SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'.
network
low complexity
sap CWE-20
6.5
2017-12-12 CVE-2017-16690 Untrusted Search Path vulnerability in SAP Plant Connectivity 15.0/2.3
A malicious DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity 2.3 and 15.0.
local
low complexity
sap CWE-426
7.8