Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2016-10-05 CVE-2016-7435 Permissions, Privileges, and Access Controls vulnerability in SAP Netweaver 7.40
The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and (3) SCTC_TMS_MAINTAIN_ALOG functions in the SCTC subpackage in SAP Netweaver 7.40 SP 12 allow remote authenticated users with certain permissions to execute arbitrary commands via vectors involving a CALL 'SYSTEM' statement, aka SAP Security Note 2260344.
network
low complexity
sap CWE-264
critical
 9.1
9.1
2016-09-27 CVE-2016-6137 Unspecified vulnerability in SAP Trex 7.10
An unspecified function in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands via unknown vectors, aka SAP Security Note 2203591.
network
low complexity
sap
critical
 9.8
9.8
2016-08-05 CVE-2016-6150 Improper Access Control vulnerability in SAP Hana
The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2233550.
network
low complexity
sap CWE-284
critical
 9.8
9.8
2016-08-05 CVE-2016-6147 OS Command Injection vulnerability in SAP Trex 7.10
An unspecified interface in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands with SIDadm privileges via unspecified vectors, aka SAP Security Note 2234226.
network
low complexity
sap CWE-78
critical
 9.8
9.8
2016-08-05 CVE-2016-6140 Improper Access Control vulnerability in SAP Trex 7.10
SAP TREX 7.10 Revision 63 allows remote attackers to write to arbitrary files via vectors related to RFC-Gateway, aka SAP Security Note 2203591.
network
low complexity
sap CWE-284
critical
 9.8
9.8
2016-08-05 CVE-2016-6139 Unspecified vulnerability in SAP Trex 7.10
SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591.
network
low complexity
sap
critical
 9.8
9.8
2016-08-05 CVE-2016-6138 Path Traversal vulnerability in SAP Trex 7.10
Directory traversal vulnerability in SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591.
network
low complexity
sap CWE-22
critical
 9.8
9.8
2016-05-13 CVE-2010-5326 Unspecified vulnerability in SAP Netweaver Application Server Java
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
network
low complexity
sap
critical
 10.0
10
2016-04-07 CVE-2016-3974 XXE vulnerability in SAP Netweaver Application Server Java
XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994.
network
low complexity
sap CWE-611
critical
 9.1
9.1
2016-02-16 CVE-2016-2386 SQL Injection vulnerability in SAP Netweaver Application Server Java 7.40
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
network
low complexity
sap CWE-89
critical
 9.8
9.8