Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-14 | CVE-2023-27271 | Server-Side Request Forgery (SSRF) vulnerability in SAP Businessobjects Business Intelligence Platform 420/430 In SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own admintools, leading to a high impact on availability. | 7.5 |
| 2023-03-14 | CVE-2023-27498 | Stack-based Buffer Overflow vulnerability in SAP Host Agent 7.22 SAP Host Agent (SAPOSCOL) - version 7.22, allows an unauthenticated attacker with network access to a server port assigned to the SAP Start Service to submit a crafted request which results in a memory corruption error. | 7.2 |
| 2023-03-14 | CVE-2023-27500 | Path Traversal vulnerability in SAP Netweaver Application Server Abap An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. | 8.1 |
| 2023-03-14 | CVE-2023-27501 | Path Traversal vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. | 9.6 |
| 2023-03-14 | CVE-2023-27893 | Code Injection vulnerability in SAP Solution Manager 740 An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable. | 8.8 |
| 2023-03-14 | CVE-2023-27894 | Information Exposure vulnerability in SAP Businessobjects Business Intelligence 420/430 SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. | 5.3 |
| 2023-03-14 | CVE-2023-27895 | Privilege Defined With Unsafe Actions vulnerability in SAP Authenticator 1.3.0 SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. | 6.5 |
| 2023-03-14 | CVE-2023-27896 | Server-Side Request Forgery (SSRF) vulnerability in SAP Businessobjects Business Intelligence 420/430 In SAP BusinessObjects Business Intelligence Platform - version 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own CMS, leading to a high impact on availability. | 7.5 |
| 2023-03-14 | CVE-2023-0021 | Cross-site Scripting vulnerability in SAP Netweaver Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. | 6.1 |
| 2023-03-14 | CVE-2023-23857 | Improper Authentication vulnerability in SAP Netweaver Application Server for Java 7.50 Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. | 8.6 |