Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-11 | CVE-2021-27619 | Unspecified vulnerability in SAP Commerce SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are not supposed to be displayed to them. | 6.5 |
| 2021-04-14 | CVE-2021-27608 | Unquoted Search Path or Element vulnerability in SAP Setup 9.0 An unquoted service path in SAPSetup, version - 9.0, could lead to privilege escalation during the installation process that is performed when an executable file is registered. | 7.5 |
| 2021-04-14 | CVE-2021-27604 | XXE vulnerability in SAP Netweaver Process Integration In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note. | 6.5 |
| 2021-04-14 | CVE-2021-27599 | Unspecified vulnerability in SAP Netweaver Process Integration SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted. | 6.5 |
| 2021-04-13 | CVE-2021-27609 | Missing Authorization vulnerability in SAP Focused RUN 200/300 SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization. | 6.5 |
| 2021-04-13 | CVE-2021-27605 | Missing Authorization vulnerability in SAP Fiori Apps 2.0 for Travel Management in SAP ERP SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. | 4.3 |
| 2021-04-13 | CVE-2021-27603 | Unspecified vulnerability in SAP Netweaver Application Server Abap 731/740/750 An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. | 6.5 |
| 2021-04-13 | CVE-2021-27602 | Code Injection vulnerability in SAP Commerce SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. | 9.9 |
| 2021-04-13 | CVE-2021-27601 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. | 5.4 |
| 2021-04-13 | CVE-2021-27600 | Cross-site Scripting vulnerability in SAP Manufacturing Execution SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. | 5.4 |