Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-14 | CVE-2022-27668 | Incorrect Authorization vulnerability in SAP products Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability. | 9.8 |
| 2022-06-14 | CVE-2022-29612 | Server-Side Request Forgery (SSRF) vulnerability in SAP Host Agent and Netweaver Abap SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. | 4.3 |
| 2022-06-13 | CVE-2022-28217 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system?s Availability by causing system to crash. | 6.5 |
| 2022-06-06 | CVE-2020-6220 | Cross-site Scripting vulnerability in SAP Business Objects Business Intelligence Platform 4.1/4.2 BI Launchpad and CMC in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.7 |
| 2022-06-06 | CVE-2022-29617 | Improper Handling of Exceptional Conditions vulnerability in SAP Contributor License Agreement Assistant Due to improper error handling an authenticated user can crash CLA assistant instance. | 6.5 |
| 2022-05-11 | CVE-2022-29616 | Out-of-bounds Write vulnerability in SAP products SAP Host Agent, SAP NetWeaver and ABAP Platform allow an attacker to leverage logical errors in memory management to cause a memory corruption. | 7.5 |
| 2022-05-11 | CVE-2022-27656 | Cross-site Scripting vulnerability in SAP products The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 6.1 |
| 2022-05-11 | CVE-2022-28214 | Cleartext Storage of Sensitive Information vulnerability in SAP products During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. | 7.8 |
| 2022-05-11 | CVE-2022-28774 | Unspecified vulnerability in SAP Host Agent 7.22 Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted. | 5.5 |
| 2022-05-11 | CVE-2022-29610 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack. | 5.4 |