Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-12 | CVE-2021-21445 | HTTP Request Smuggling vulnerability in SAP Commerce Cloud SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. | 5.4 |
| 2020-12-09 | CVE-2020-26838 | OS Command Injection vulnerability in SAP Business Warehouse and Bw/4Hana SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. | 9.1 |
| 2020-12-09 | CVE-2020-26837 | Path Traversal vulnerability in SAP Solution Manager 7.20 SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable. | 9.1 |
| 2020-12-09 | CVE-2020-26836 | Open Redirect vulnerability in SAP Solution Manager 7.20 SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack. | 6.1 |
| 2020-12-09 | CVE-2020-26835 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
| 2020-12-09 | CVE-2020-26834 | Improper Authentication vulnerability in SAP Hana Database 2.00 SAP HANA Database, version - 2.0, does not correctly validate the username when performing SAML bearer token-based user authentication. | 5.4 |
| 2020-12-09 | CVE-2020-26832 | Missing Authorization vulnerability in SAP Netweaver Application Server Abap and S/4 Hana SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable. | 7.6 |
| 2020-12-09 | CVE-2020-26831 | Unspecified vulnerability in SAP Businessobjects Business Intelligence Platform 4.1/4.2/4.3 SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS). | 9.6 |
| 2020-12-09 | CVE-2020-26830 | Missing Authorization vulnerability in SAP Solution Manager 7.20 SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. | 8.1 |
| 2020-12-09 | CVE-2020-26829 | Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. | 10.0 |