Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2019-10-08 CVE-2019-0370 XML Injection (aka Blind XPath Injection) vulnerability in SAP Financial Consolidation 10.0/10.1
Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.
network
low complexity
sap CWE-91
6.5
2019-10-08 CVE-2019-0369 Cross-site Scripting vulnerability in SAP Financial Consolidation 10.0/10.1
SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability.
network
low complexity
sap CWE-79
5.4
2019-10-08 CVE-2019-0368 Cross-site Scripting vulnerability in SAP products
SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.
network
low complexity
sap CWE-79
5.4
2019-10-08 CVE-2019-0367 Missing Authorization vulnerability in SAP Netweaver Process Integration 1.0/2.0
SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check.
network
low complexity
sap CWE-862
4.3
2019-09-10 CVE-2019-0365 Unspecified vulnerability in SAP products
SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC, before versions 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL before versions 7.21, 7.49, 7.53, 7.73, 7.76 SAP GUI for Windows (BC-FES-GUI) before versions 7.5, 7.6, and SAP GUI for Java (BC-FES-JAV) before version 7.5, allow an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
network
low complexity
sap
7.5
2019-09-10 CVE-2019-0364 Unspecified vulnerability in SAP Hana Extended Application Services 1.0
Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open ports.
network
low complexity
sap
4.3
2019-09-10 CVE-2019-0363 Unspecified vulnerability in SAP Hana Extended Application Services 1.0
Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network ports.
network
low complexity
sap
7.1
2019-09-10 CVE-2019-0361 Cross-site Scripting vulnerability in SAP Supplier Relationship Management 3.73/7.31/7.32
SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2019-09-10 CVE-2019-0357 Unspecified vulnerability in SAP Hana 1.0/2.0
The administrator of SAP HANA database, before versions 1.0 and 2.0, can misuse HANA to execute commands with operating system "root" privileges.
local
low complexity
sap
6.7
2019-09-10 CVE-2019-0356 Unspecified vulnerability in SAP Netweaver Process Integration 7.31/7.40/7.50
Under certain conditions SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIAF (before versions 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted.
network
low complexity
sap
4.3