Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-04-10 | CVE-2016-10304 | Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50 The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | 6.5 |
| 2017-03-23 | CVE-2017-6950 | Incorrect Permission Assignment for Critical Resource vulnerability in SAP GUI for Windows SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616. | 9.8 |
| 2017-03-16 | CVE-2017-6061 | Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation 10.0.0.1933 Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. | 4.7 |
| 2017-02-15 | CVE-2017-5997 | Missing Release of Resource after Effective Lifetime vulnerability in SAP Kernel 7.21/7.22/7.42 The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972. | 7.5 |
| 2017-02-01 | CVE-2016-10079 | Improper Input Validation vulnerability in SAP Saplpd 7400.3.11.33 SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515. | 7.5 |
| 2017-01-23 | CVE-2017-5372 | Information Exposure vulnerability in SAP Netweaver The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908. | 7.5 |
| 2016-12-31 | CVE-2016-6859 | Information Exposure vulnerability in SAP Hybris Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace. | 4.3 |
| 2016-12-31 | CVE-2016-6858 | Cross-site Scripting vulnerability in SAP Hybris Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field. | 5.4 |
| 2016-12-31 | CVE-2016-6857 | Cross-site Scripting vulnerability in SAP Hybris Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field. | 5.4 |
| 2016-12-31 | CVE-2016-6856 | Cross-site Scripting vulnerability in SAP Hybris Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter. | 6.1 |