Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-14 | CVE-2021-33688 | SQL Injection vulnerability in SAP Business ONE 10.0 SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. | 4.0 |
| 2021-09-14 | CVE-2021-37531 | OS Command Injection vulnerability in SAP Netweaver Knowledge Management XML Forms SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. | 9.0 |
| 2021-09-14 | CVE-2021-37532 | Path Traversal vulnerability in SAP Business ONE 10.0 SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be restricted to high privileged User. | 4.0 |
| 2021-09-14 | CVE-2021-37535 | Missing Authorization vulnerability in SAP Netweaver Application Server Java SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | 7.5 |
| 2021-09-14 | CVE-2021-38150 | Cleartext Storage of Sensitive Information vulnerability in SAP Business Client 7.0/7.70 When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. | 4.3 |
| 2021-09-14 | CVE-2021-38162 | HTTP Request Smuggling vulnerability in SAP web Dispatcher SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. | 9.4 |
| 2021-09-14 | CVE-2021-38163 | Path Traversal vulnerability in SAP Netweaver SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. | 8.8 |
| 2021-09-14 | CVE-2021-38164 | Missing Authorization vulnerability in SAP ERP Financial Accounting SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. | 5.5 |
| 2021-09-14 | CVE-2021-38174 | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. network sap | 4.3 |
| 2021-09-14 | CVE-2021-38175 | Information Exposure vulnerability in SAP Analysis for Microsoft Office 2.8 SAP Analysis for Microsoft Office - version 2.8, allows an attacker with high privileges to read sensitive data over the network, and gather or change information in the current system without user interaction. | 5.5 |