Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2017-05-26 CVE-2016-6256 XXE vulnerability in SAP Business ONE 1.2.3
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.
network
low complexity
sap CWE-611
critical
9.6
2017-05-23 CVE-2017-8915 Reachable Assertion vulnerability in SAP Hana XS 1.00/2.00
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to cause a denial of service (assertion failure and service crash) by pushing a package with a filename containing a $ (dollar sign) or % (percent) character, aka SAP Security Note 2407694.
network
low complexity
sap CWE-617
7.5
2017-05-23 CVE-2017-8914 Unspecified vulnerability in SAP Hana XS 1.00/2.00
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694.
network
low complexity
sap
8.3
2017-05-23 CVE-2017-8913 XXE vulnerability in SAP Netweaver Application Server Java 7.50
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.
network
low complexity
sap CWE-611
8.8
2017-05-10 CVE-2017-8852 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP Sapcar 721.510
SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability.
local
low complexity
sap CWE-119
7.8
2017-04-14 CVE-2017-7717 SQL Injection vulnerability in SAP Netweaver Application Server Java 7.40
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
network
low complexity
sap CWE-89
8.8
2017-04-14 CVE-2017-7696 Allocation of Resources Without Limits or Throttling vulnerability in SAP SSO Authentication Library 2.0/3.0
SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042.
network
low complexity
sap CWE-770
7.5
2017-04-13 CVE-2016-6818 SQL Injection vulnerability in SAP Business Intelligence Platform
SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query.
network
low complexity
sap CWE-89
critical
9.8
2017-04-13 CVE-2016-6143 Improper Access Control vulnerability in SAP Hana 1.00.73.00.389160
SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806.
network
low complexity
sap CWE-284
critical
9.8
2017-04-11 CVE-2017-7691 Code Injection vulnerability in SAP Trex
A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA).
network
low complexity
sap CWE-94
critical
9.8