Vulnerabilities > SAP > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-08 | CVE-2023-37483 | Missing Authentication for Critical Function vulnerability in SAP Powerdesigner 16.7 SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. | 9.8 |
| 2023-08-08 | CVE-2023-37490 | Uncontrolled Search Path Element vulnerability in SAP Businessobjects Business Intelligence 420/430 SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. | 9.0 |
| 2023-08-08 | CVE-2023-39439 | Empty Password in Configuration File vulnerability in SAP Commerce Cloud and Commerce Hycom SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. | 9.8 |
| 2023-07-11 | CVE-2023-33987 | HTTP Request Smuggling vulnerability in SAP web Dispatcher An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. | 9.4 |
| 2023-07-11 | CVE-2023-35871 | Out-of-bounds Write vulnerability in SAP web Dispatcher The SAP Web Dispatcher - versions WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.85, WEBDISP 7.89, WEBDISP 7.91, WEBDISP 7.92, WEBDISP 7.93, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, has a vulnerability that can be exploited by an unauthenticated attacker to cause memory corruption through logical errors in memory management this may leads to information disclosure or system crashes, which can have low impact on confidentiality and high impact on the integrity and availability of the system. | 9.4 |
| 2023-05-09 | CVE-2023-30744 | Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server for Java 7.50 In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. | 9.1 |
| 2023-05-09 | CVE-2023-32113 | Information Exposure vulnerability in SAP GUI for Windows SAP GUI for Windows - version 7.70, 8.0, allows an unauthorized attacker to gain NTLM authentication information of a victim by tricking it into clicking a prepared shortcut file. | 9.3 |
| 2023-03-14 | CVE-2023-27501 | Path Traversal vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. | 9.6 |
| 2023-03-14 | CVE-2023-27269 | Path Traversal vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. | 9.6 |
| 2023-02-14 | CVE-2023-24530 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects Business Intelligence Platform 420/430 SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. | 9.1 |