Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2021-02-09 CVE-2021-21475 Path Traversal vulnerability in SAP Netweaver Master Data Management Server 710/710.750
Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs.
network
low complexity
sap CWE-22
7.5
2021-02-09 CVE-2021-21474 Inadequate Encryption Strength vulnerability in SAP Hana Database 1.00/2.00
SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML Assertion issued for an SAP HANA instance might be able to tamper with it and alter it in a way that the digest continues to be the same and without invalidating the digital signature, this allows them to impersonate as user in HANA database and be able to read the contents in the database.
network
low complexity
sap CWE-326
6.5
2021-02-09 CVE-2021-21472 Missing Authentication for Critical Function vulnerability in SAP Software Provisioning Manager 1.0
SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.
network
low complexity
sap CWE-306
8.8
2021-02-09 CVE-2021-21444 Improper Restriction of Rendered UI Layers or Frames vulnerability in SAP Businessobjects Business Intelligence 410/420/430
SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents.
network
low complexity
sap CWE-1021
6.1
2021-01-12 CVE-2021-21471 Unspecified vulnerability in SAP Cla-Assistant
In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user.
network
low complexity
sap
6.5
2021-01-12 CVE-2021-21470 XXE vulnerability in SAP Enterprise Performance Management 1010/2.8
SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files.
local
low complexity
sap CWE-611
4.4
2021-01-12 CVE-2021-21469 Information Exposure vulnerability in SAP Netweaver Master Data Management 7.10/7.10.750/710
When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration.
network
low complexity
sap CWE-200
7.5
2021-01-12 CVE-2021-21468 Missing Authorization vulnerability in SAP Business Warehouse
The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.
network
low complexity
sap CWE-862
6.5
2021-01-12 CVE-2021-21467 Missing Authorization vulnerability in SAP Banking Services
SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
4.3
2021-01-12 CVE-2021-21466 Code Injection vulnerability in SAP Business Warehouse and Bw/4Hana
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network.
network
low complexity
sap CWE-94
8.8