Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2017-04-10 CVE-2016-10304 Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
network
low complexity
sap CWE-502
6.5
2017-03-23 CVE-2017-6950 Incorrect Permission Assignment for Critical Resource vulnerability in SAP GUI for Windows
SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616.
network
low complexity
sap CWE-732
critical
9.8
2017-03-16 CVE-2017-6061 Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation 10.0.0.1933
Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request.
network
low complexity
sap CWE-79
4.7
2017-02-15 CVE-2017-5997 Missing Release of Resource after Effective Lifetime vulnerability in SAP Kernel 7.21/7.22/7.42
The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972.
network
low complexity
sap CWE-772
7.5
2017-02-01 CVE-2016-10079 Improper Input Validation vulnerability in SAP Saplpd 7400.3.11.33
SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515.
network
low complexity
sap CWE-20
7.5
2017-01-23 CVE-2017-5372 Information Exposure vulnerability in SAP Netweaver
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
network
low complexity
sap CWE-200
7.5
2016-12-31 CVE-2016-6859 Information Exposure vulnerability in SAP Hybris
Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
network
low complexity
sap CWE-200
4.3
2016-12-31 CVE-2016-6858 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.
network
low complexity
sap CWE-79
5.4
2016-12-31 CVE-2016-6857 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.
network
low complexity
sap CWE-79
5.4
2016-12-31 CVE-2016-6856 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.
network
low complexity
sap CWE-79
6.1