Vulnerabilities > SAP
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-01-08 | CVE-2018-2499 | Unspecified vulnerability in SAP products A security weakness in SAP Financial Consolidation Cube Designer (BOBJ_EADES fixed in versions 8.0, 10.1) may allow an attacker to discover the password hash of an admin user. | 7.5 |
| 2019-01-08 | CVE-2018-2484 | Missing Authorization vulnerability in SAP products SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | 8.8 |
| 2018-12-11 | CVE-2018-2505 | Cross-site Scripting vulnerability in SAP Hybris SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. | 6.1 |
| 2018-12-11 | CVE-2018-2504 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. | 6.1 |
| 2018-12-11 | CVE-2018-2503 | Missing Authorization vulnerability in SAP Netweaver Application Server Java By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. | 7.4 |
| 2018-12-11 | CVE-2018-2502 | Cross-site Scripting vulnerability in SAP Business ONE on Hana 9.2/9.3 TRACE method is enabled in SAP Business One Service Layer . | 6.1 |
| 2018-12-11 | CVE-2018-2500 | Unspecified vulnerability in SAP Mobile Secure 6.60.19942.0 Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted. | 4.7 |
| 2018-12-11 | CVE-2018-2497 | Unspecified vulnerability in SAP Hana 1.0/2.0 The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT. | 2.7 |
| 2018-12-11 | CVE-2018-2494 | Incorrect Authorization vulnerability in SAP Business Application Software Integrated Solution Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform. | 8.0 |
| 2018-12-11 | CVE-2018-2492 | XXE vulnerability in SAP Netweaver Application Server Java SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. | 7.1 |