Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2017-04-10 CVE-2016-10311 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP Netweaver
Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238.
network
low complexity
sap CWE-119
critical
9.8
2017-04-10 CVE-2016-10310 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP SQL Anywhere 11.0/16.0/17.0
Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service (resource consumption and process crash) by sending a crafted packet several times, aka SAP Security Note 2308778.
network
low complexity
sap CWE-119
4.9
2017-04-10 CVE-2016-10304 Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
network
low complexity
sap CWE-502
6.5
2017-03-23 CVE-2017-6950 Incorrect Permission Assignment for Critical Resource vulnerability in SAP GUI for Windows
SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616.
network
low complexity
sap CWE-732
critical
9.8
2017-03-16 CVE-2017-6061 Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation 10.0.0.1933
Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request.
network
low complexity
sap CWE-79
4.7
2017-02-15 CVE-2017-5997 Missing Release of Resource after Effective Lifetime vulnerability in SAP Kernel 7.21/7.22/7.42
The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972.
network
low complexity
sap CWE-772
7.5
2017-02-01 CVE-2016-10079 Improper Input Validation vulnerability in SAP Saplpd 7400.3.11.33
SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515.
network
low complexity
sap CWE-20
7.5
2017-01-23 CVE-2017-5372 Information Exposure vulnerability in SAP Netweaver
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
network
low complexity
sap CWE-200
7.5
2016-12-31 CVE-2016-6859 Information Exposure vulnerability in SAP Hybris
Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
network
low complexity
sap CWE-200
4.3
2016-12-31 CVE-2016-6858 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.
network
low complexity
sap CWE-79
5.4