Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2021-09-14 CVE-2021-33672 Improper Encoding or Escaping of Output vulnerability in SAP Contact Center 700
Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message.
network
sap CWE-116
critical
9.3
2021-09-14 CVE-2021-37531 OS Command Injection vulnerability in SAP Netweaver Knowledge Management XML Forms
SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file.
network
low complexity
sap CWE-78
critical
9.0
2021-09-14 CVE-2021-38162 HTTP Request Smuggling vulnerability in SAP web Dispatcher
SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages.
network
low complexity
sap CWE-444
critical
9.4
2021-09-14 CVE-2021-38176 SQL Injection vulnerability in SAP products
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database.
network
low complexity
sap CWE-89
critical
9.0
2021-08-09 CVE-2014-9320 Improper Authentication vulnerability in SAP Businessobjects Edge 4.1
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and consequently gain SYSTEM privileges via vectors involving CORBA calls, aka SAP Note 2039905.
network
sap CWE-287
critical
9.3
2021-06-16 CVE-2021-27610 Improper Authentication vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.
network
low complexity
sap CWE-287
critical
9.8
2021-03-09 CVE-2021-21480 Code Injection vulnerability in SAP Manufacturing Integration and Intelligence
SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment).
network
low complexity
sap CWE-94
critical
9.0
2021-02-09 CVE-2021-21477 Code Injection vulnerability in SAP Commerce
SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.
network
low complexity
sap CWE-94
critical
9.0
2020-12-09 CVE-2020-26838 OS Command Injection vulnerability in SAP Business Warehouse and Bw/4Hana
SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction.
network
low complexity
sap CWE-78
critical
9.0
2020-12-09 CVE-2020-26829 Improper Authentication vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication.
network
low complexity
sap CWE-287
critical
9.0