Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2024-08-13 CVE-2024-33003 Unspecified vulnerability in SAP Commerce Cloud
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters.
network
low complexity
sap
critical
9.1
2024-08-13 CVE-2024-41730 Missing Authorization vulnerability in SAP Business Objects Business Intelligence Platform Enterprise430/Enterprise440
In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint.
network
low complexity
sap CWE-862
critical
9.8
2024-01-09 CVE-2024-21737 Code Injection vulnerability in SAP Application Interface Framework 702
In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly.
network
low complexity
sap CWE-94
critical
9.1
2023-12-12 CVE-2023-50424 Exposed Dangerous Method or Function vulnerability in SAP Cloud-Security-Client-Go
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges.
network
low complexity
sap CWE-749
critical
9.8
2023-12-12 CVE-2023-49581 SQL Injection vulnerability in SAP Netweaver Application Server Abap
SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential.
network
low complexity
sap CWE-89
critical
9.4
2023-12-12 CVE-2023-49583 Exposed Dangerous Method or Function vulnerability in SAP @Sap/XSSec
SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges.
network
low complexity
sap CWE-749
critical
9.8
2023-12-12 CVE-2023-50422 Exposed Dangerous Method or Function vulnerability in SAP Cloud-Security-Services-Integration-Library
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges.
network
low complexity
sap CWE-749
critical
9.8
2023-12-12 CVE-2023-50423 Exposed Dangerous Method or Function vulnerability in SAP Sap-XSSec
SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges.
network
low complexity
sap CWE-749
critical
9.8
2023-09-12 CVE-2023-40309 Incorrect Authorization vulnerability in SAP products
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-863
critical
9.8
2023-09-12 CVE-2023-40622 Incorrect Permission Assignment for Critical Resource vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an authenticated attacker to view sensitive information which is otherwise restricted.
network
low complexity
sap CWE-732
critical
9.9