Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2021-01-12 CVE-2021-21445 HTTP Request Smuggling vulnerability in SAP Commerce Cloud
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user.
network
low complexity
sap CWE-444
5.4
2020-12-09 CVE-2020-26838 OS Command Injection vulnerability in SAP Business Warehouse and Bw/4Hana
SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction.
network
low complexity
sap CWE-78
critical
9.1
2020-12-09 CVE-2020-26837 Path Traversal vulnerability in SAP Solution Manager 7.20
SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable.
network
low complexity
sap CWE-22
critical
9.1
2020-12-09 CVE-2020-26836 Open Redirect vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack.
network
low complexity
sap CWE-601
6.1
2020-12-09 CVE-2020-26835 Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-12-09 CVE-2020-26834 Improper Authentication vulnerability in SAP Hana Database 2.00
SAP HANA Database, version - 2.0, does not correctly validate the username when performing SAML bearer token-based user authentication.
network
low complexity
sap CWE-287
5.4
2020-12-09 CVE-2020-26832 Missing Authorization vulnerability in SAP Netweaver Application Server Abap and S/4 Hana
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
network
low complexity
sap CWE-862
7.6
2020-12-09 CVE-2020-26831 Unspecified vulnerability in SAP Businessobjects Business Intelligence Platform 4.1/4.2/4.3
SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS).
network
low complexity
sap
critical
9.6
2020-12-09 CVE-2020-26830 Missing Authorization vulnerability in SAP Solution Manager 7.20
SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user.
network
low complexity
sap CWE-862
8.1
2020-12-09 CVE-2020-26829 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication.
network
low complexity
sap CWE-306
critical
10.0