Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2016-12-31 CVE-2016-6857 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.
network
low complexity
sap CWE-79
5.4
2016-12-31 CVE-2016-6856 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.
network
low complexity
sap CWE-79
6.1
2016-12-19 CVE-2016-10005 Information Exposure vulnerability in SAP Solution Manager 7.1/7.20/7.31
Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to obtain sensitive information via webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd requests, aka SAP Security Note 2344524.
network
low complexity
sap CWE-200
7.5
2016-12-14 CVE-2016-3685 Use of Hard-coded Credentials vulnerability in SAP Download Manager 1.1.3.0/2.1.142
SAP Download Manager 2.1.142 and earlier generates an encryption key from a small key space on Windows and Mac systems, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of a hardcoded key in the program code and a computer BIOS serial number, aka SAP Security Note 2282338.
local
high complexity
sap CWE-798
4.7
2016-12-14 CVE-2016-3684 Unspecified vulnerability in SAP Download Manager 1.1.3.0/2.1.142
SAP Download Manager 2.1.142 and earlier uses a hardcoded encryption key to protect stored data, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of this key, aka SAP Security Note 2282338.
local
high complexity
sap
4.7
2016-11-23 CVE-2016-9563 XXE vulnerability in SAP Netweaver Application Server Java 7.50
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
network
low complexity
sap CWE-611
6.5
2016-11-23 CVE-2016-9562 NULL Pointer Dereference vulnerability in SAP Netweaver Application Server Java 7.40
SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835.
network
low complexity
sap CWE-476
7.5
2016-10-13 CVE-2016-7437 Unspecified vulnerability in SAP Netweaver 7.40
SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the SAP Security Audit Log as non-critical, which might allow local users to hide rejected attempts to execute RFC function callbacks by leveraging filtering of non-critical events in audit analysis reports, aka SAP Security Note 2252312.
local
low complexity
sap
3.3
2016-10-13 CVE-2016-4407 Improper Access Control vulnerability in SAP Sapcryptolib 5.555.38
The DSA algorithm implementation in SAP SAPCRYPTOLIB 5.555.38 does not properly check signatures, which allows remote authenticated users to impersonate arbitrary users via unspecified vectors, aka SAP Security Note 2223008.
network
low complexity
sap CWE-284
6.5
2016-10-13 CVE-2016-3946 Information Exposure vulnerability in SAP Sapconsole 7.30
SAP Console (aka SAPConsole) 7.30 allows local users to discover SAP Server login credentials by reading the Windows registry, aka SAP Security Note 2121461.
local
low complexity
sap CWE-200
7.8