Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2016-04-14 CVE-2016-4018 Improper Access Control vulnerability in SAP Hana
The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and conduct unspecified other attacks via unspecified vectors, aka SAP Security Note 2262742.
network
low complexity
sap CWE-284
7.3
7.3
2016-04-14 CVE-2016-4017 Unspecified vulnerability in SAP Hana
The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710.
network
low complexity
sap
7.5
7.5
2016-04-14 CVE-2016-4016 Cross-site Scripting vulnerability in SAP Java AS 7.4
Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title parameter to webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication, aka SAP Security Note 2201295.
network
low complexity
sap CWE-79
6.1
6.1
2016-04-14 CVE-2016-4015 Unspecified vulnerability in SAP Netweaver
The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784.
network
low complexity
sap
7.5
7.5
2016-04-14 CVE-2016-4014 Unspecified vulnerability in SAP Netweaver 7.4
XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.
network
low complexity
sap
8.6
8.6
2016-04-08 CVE-2016-3980 Improper Input Validation vulnerability in SAP Application Server Java 7.2/7.3/7.4
The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547.
network
low complexity
sap CWE-20
7.5
7.5
2016-04-08 CVE-2016-3979 Improper Input Validation vulnerability in SAP Java AS 7.4
Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP request, related to the IctParseCookies function, aka SAP Security Note 2256185.
network
low complexity
sap CWE-20
7.5
7.5
2016-04-08 CVE-2015-8840 Missing Authorization vulnerability in SAP Netweaver Application Server Java
The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215.
network
low complexity
sap CWE-862
8.8
8.8
2016-04-07 CVE-2016-3976 Path Traversal vulnerability in SAP Netweaver Application Server Java
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
network
low complexity
sap CWE-22
7.5
7.5
2016-04-07 CVE-2016-3975 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375.
network
low complexity
sap CWE-79
6.1
6.1