Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-08-08 CVE-2023-37483 Missing Authentication for Critical Function vulnerability in SAP Powerdesigner 16.7
SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy.
network
low complexity
sap CWE-306
critical
9.8
2023-08-08 CVE-2023-37490 Uncontrolled Search Path Element vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process.
low complexity
sap CWE-427
critical
9.0
2023-08-08 CVE-2023-39439 Empty Password in Configuration File vulnerability in SAP Commerce Cloud and Commerce Hycom
SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
network
low complexity
sap CWE-258
critical
9.8
2023-07-11 CVE-2023-33987 HTTP Request Smuggling vulnerability in SAP web Dispatcher
An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages.
network
low complexity
sap CWE-444
critical
9.4
2023-07-11 CVE-2023-35871 Out-of-bounds Write vulnerability in SAP web Dispatcher
The SAP Web Dispatcher - versions WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.85, WEBDISP 7.89, WEBDISP 7.91, WEBDISP 7.92, WEBDISP 7.93, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, has a vulnerability that can be exploited by an unauthenticated attacker to cause memory corruption through logical errors in memory management this may leads to information disclosure or system crashes, which can have low impact on confidentiality and high impact on the integrity and availability of the system.
network
low complexity
sap CWE-787
critical
9.4
2023-05-09 CVE-2023-30744 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server for Java 7.50
In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication.
network
low complexity
sap CWE-306
critical
9.1
2023-05-09 CVE-2023-32113 Information Exposure vulnerability in SAP GUI for Windows
SAP GUI for Windows - version 7.70, 8.0, allows an unauthorized attacker to gain NTLM authentication information of a victim by tricking it into clicking a prepared shortcut file.
network
low complexity
sap CWE-200
critical
9.3
2023-03-14 CVE-2023-27501 Path Traversal vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files.
network
low complexity
sap CWE-22
critical
9.6
2023-03-14 CVE-2023-27269 Path Traversal vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files.
network
low complexity
sap CWE-22
critical
9.6
2023-02-14 CVE-2023-24530 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects Business Intelligence Platform 420/430
SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network.
network
low complexity
sap CWE-434
critical
9.1