Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-08-08 CVE-2023-37483 Missing Authentication for Critical Function vulnerability in SAP Powerdesigner 16.7
SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy.
network
low complexity
sap CWE-306
critical
9.8
2023-08-08 CVE-2023-37490 Uncontrolled Search Path Element vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process.
low complexity
sap CWE-427
critical
9.0
2023-08-08 CVE-2023-39439 Empty Password in Configuration File vulnerability in SAP Commerce Cloud and Commerce Hycom
SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
network
low complexity
sap CWE-258
critical
9.8
2023-07-11 CVE-2023-33987 HTTP Request Smuggling vulnerability in SAP web Dispatcher
An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages.
network
low complexity
sap CWE-444
critical
9.4
2023-07-11 CVE-2023-35871 Out-of-bounds Write vulnerability in SAP web Dispatcher
The SAP Web Dispatcher - versions WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.85, WEBDISP 7.89, WEBDISP 7.91, WEBDISP 7.92, WEBDISP 7.93, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, has a vulnerability that can be exploited by an unauthenticated attacker to cause memory corruption through logical errors in memory management this may leads to information disclosure or system crashes, which can have low impact on confidentiality and high impact on the integrity and availability of the system.
network
low complexity
sap CWE-787
critical
9.4
2023-05-09 CVE-2023-30744 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server for Java 7.50
In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication.
network
low complexity
sap CWE-306
critical
9.1
2023-05-09 CVE-2023-32113 Information Exposure vulnerability in SAP GUI for Windows
SAP GUI for Windows - version 7.70, 8.0, allows an unauthorized attacker to gain NTLM authentication information of a victim by tricking it into clicking a prepared shortcut file.
network
low complexity
sap CWE-200
critical
9.3
2023-04-11 CVE-2023-27497 Missing Authentication for Critical Function vulnerability in SAP Diagnostics Agent 720
Due to missing authentication and input sanitization of code the EventLogServiceCollector of SAP Diagnostics Agent - version 720, allows an attacker to execute malicious scripts on all connected Diagnostics Agents running on Windows.
network
low complexity
sap CWE-306
critical
9.8
2023-04-11 CVE-2023-28765 Unspecified vulnerability in SAP Businessobjects Business Intelligence 420/430
An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file.
network
low complexity
sap
critical
9.8
2023-03-14 CVE-2023-27501 Path Traversal vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files.
network
low complexity
sap CWE-22
critical
9.6