Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2017-10-16 CVE-2017-15293 Improper Authentication vulnerability in SAP Point of Sale Xpress Server 1020/1030
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials.
network
low complexity
sap CWE-287
critical
9.8
2017-09-06 CVE-2015-7241 XXE vulnerability in SAP Netweaver 4.0/6.4/7.0
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
network
low complexity
sap CWE-611
critical
9.8
2017-07-25 CVE-2017-11459 Code Injection vulnerability in SAP Trex 7.10
SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592.
network
low complexity
sap CWE-94
critical
9.8
2017-07-12 CVE-2017-9844 Deserialization of Untrusted Data vulnerability in SAP Netweaver 7400.12.21.30308
SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804.
network
low complexity
sap CWE-502
critical
9.8
2017-05-26 CVE-2016-6256 XXE vulnerability in SAP Business ONE 1.2.3
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.
network
low complexity
sap CWE-611
critical
9.6
2017-04-13 CVE-2016-6818 SQL Injection vulnerability in SAP Business Intelligence Platform
SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query.
network
low complexity
sap CWE-89
critical
9.8
2017-04-13 CVE-2016-6143 Improper Access Control vulnerability in SAP Hana 1.00.73.00.389160
SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806.
network
low complexity
sap CWE-284
critical
9.8
2017-04-11 CVE-2017-7691 Code Injection vulnerability in SAP Trex
A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA).
network
low complexity
sap CWE-94
critical
9.8
2017-04-10 CVE-2016-10311 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP Netweaver
Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238.
network
low complexity
sap CWE-119
critical
9.8
2017-03-23 CVE-2017-6950 Incorrect Permission Assignment for Critical Resource vulnerability in SAP GUI for Windows
SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616.
network
low complexity
sap CWE-732
critical
9.8