Vulnerabilities > SAP
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2016-05-13 | CVE-2010-5326 | Unspecified vulnerability in SAP Netweaver Application Server Java The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. | 10.0 |
2016-04-14 | CVE-2016-4018 | Improper Access Control vulnerability in SAP Hana The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and conduct unspecified other attacks via unspecified vectors, aka SAP Security Note 2262742. | 7.3 |
2016-04-14 | CVE-2016-4017 | Unspecified vulnerability in SAP Hana The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710. | 7.5 |
2016-04-14 | CVE-2016-4016 | Cross-site Scripting vulnerability in SAP Java AS 7.4 Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title parameter to webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication, aka SAP Security Note 2201295. | 6.1 |
2016-04-14 | CVE-2016-4015 | Unspecified vulnerability in SAP Netweaver The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784. | 7.5 |
2016-04-14 | CVE-2016-4014 | Unspecified vulnerability in SAP Netweaver 7.4 XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389. | 8.6 |
2016-04-08 | CVE-2016-3980 | Improper Input Validation vulnerability in SAP Application Server Java 7.2/7.3/7.4 The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547. | 7.5 |
2016-04-08 | CVE-2016-3979 | Improper Input Validation vulnerability in SAP Java AS 7.4 Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP request, related to the IctParseCookies function, aka SAP Security Note 2256185. | 7.5 |
2016-04-08 | CVE-2015-8840 | Missing Authorization vulnerability in SAP Netweaver Application Server Java The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | 8.8 |
2016-04-07 | CVE-2016-3976 | Path Traversal vulnerability in SAP Netweaver Application Server Java Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. | 7.5 |