Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2021-03-09 CVE-2021-21488 Deserialization of Untrusted Data vulnerability in SAP Netweaver Knowledge Management
Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability.
network
low complexity
sap CWE-502
6.5
2021-03-09 CVE-2021-21487 Missing Authorization vulnerability in SAP Payment Engine 500
SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
8.8
2021-03-09 CVE-2021-21486 Missing Authorization vulnerability in SAP Enterprise Financial Services
SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
8.8
2021-03-09 CVE-2021-21484 Incorrect Authorization vulnerability in SAP Hana 2.0
LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
network
low complexity
sap CWE-863
critical
9.8
2021-03-09 CVE-2021-21481 Incorrect Authorization vulnerability in SAP Netweaver
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check.
low complexity
sap CWE-863
8.8
2021-03-09 CVE-2021-21480 Code Injection vulnerability in SAP Manufacturing Integration and Intelligence
SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment).
network
low complexity
sap CWE-94
8.8
2021-02-09 CVE-2021-21479 Injection vulnerability in SAP Scimono
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
network
low complexity
sap CWE-74
critical
9.1
2021-02-09 CVE-2021-21478 Open Redirect vulnerability in SAP web Dynpro Abap
SAP Web Dynpro ABAP allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
network
low complexity
sap CWE-601
6.1
2021-02-09 CVE-2021-21477 Code Injection vulnerability in SAP Commerce
SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.
network
low complexity
sap CWE-94
critical
9.9
2021-02-09 CVE-2021-21476 Open Redirect vulnerability in SAP UI5
SAP UI5 versions before 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1 allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
network
low complexity
sap CWE-601
6.1