Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-12-31 | CVE-2016-6858 | Cross-site Scripting vulnerability in SAP Hybris Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field. | 5.4 |
| 2016-12-31 | CVE-2016-6857 | Cross-site Scripting vulnerability in SAP Hybris Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field. | 5.4 |
| 2016-12-31 | CVE-2016-6856 | Cross-site Scripting vulnerability in SAP Hybris Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter. | 6.1 |
| 2016-12-19 | CVE-2016-10005 | Information Exposure vulnerability in SAP Solution Manager 7.1/7.20/7.31 Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to obtain sensitive information via webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd requests, aka SAP Security Note 2344524. | 7.5 |
| 2016-12-14 | CVE-2016-3685 | Use of Hard-coded Credentials vulnerability in SAP Download Manager 1.1.3.0/2.1.142 SAP Download Manager 2.1.142 and earlier generates an encryption key from a small key space on Windows and Mac systems, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of a hardcoded key in the program code and a computer BIOS serial number, aka SAP Security Note 2282338. | 4.7 |
| 2016-12-14 | CVE-2016-3684 | Unspecified vulnerability in SAP Download Manager 1.1.3.0/2.1.142 SAP Download Manager 2.1.142 and earlier uses a hardcoded encryption key to protect stored data, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of this key, aka SAP Security Note 2282338. | 4.7 |
| 2016-11-23 | CVE-2016-9563 | XXE vulnerability in SAP Netweaver Application Server Java 7.50 BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. | 6.5 |
| 2016-11-23 | CVE-2016-9562 | NULL Pointer Dereference vulnerability in SAP Netweaver Application Server Java 7.40 SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835. | 7.5 |
| 2016-10-13 | CVE-2016-7437 | Unspecified vulnerability in SAP Netweaver 7.40 SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the SAP Security Audit Log as non-critical, which might allow local users to hide rejected attempts to execute RFC function callbacks by leveraging filtering of non-critical events in audit analysis reports, aka SAP Security Note 2252312. | 3.3 |
| 2016-10-13 | CVE-2016-4407 | Improper Access Control vulnerability in SAP Sapcryptolib 5.555.38 The DSA algorithm implementation in SAP SAPCRYPTOLIB 5.555.38 does not properly check signatures, which allows remote authenticated users to impersonate arbitrary users via unspecified vectors, aka SAP Security Note 2223008. | 6.5 |