Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-01-23 CVE-2013-1592 Classic Buffer Overflow vulnerability in SAP Netweaver
A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code.
network
low complexity
sap CWE-120
critical
10.0
2019-08-14 CVE-2019-0344 Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.
network
low complexity
sap CWE-502
critical
9.8
2019-07-10 CVE-2019-0330 Code Injection vulnerability in SAP Diagnostics Agent 7.20
The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application.
network
low complexity
sap CWE-94
critical
9.1
2019-07-10 CVE-2019-0328 OS Command Injection vulnerability in SAP Netweaver Process Integration
ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights.
network
low complexity
sap CWE-78
critical
9.0
2017-10-16 CVE-2017-15295 Improper Authentication vulnerability in SAP Point of Sale Xpress Server 1020/1030
Xpress Server in SAP POS does not require authentication for read/write/delete file access.
network
low complexity
sap CWE-287
critical
10.0
2017-10-16 CVE-2017-15293 Improper Authentication vulnerability in SAP Point of Sale Xpress Server 1020/1030
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials.
network
low complexity
sap CWE-287
critical
10.0
2017-04-13 CVE-2016-6818 SQL Injection vulnerability in SAP Business Intelligence Platform
SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query.
network
low complexity
sap CWE-89
critical
10.0
2016-10-05 CVE-2016-7435 Permissions, Privileges, and Access Controls vulnerability in SAP Netweaver 7.40
The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and (3) SCTC_TMS_MAINTAIN_ALOG functions in the SCTC subpackage in SAP Netweaver 7.40 SP 12 allow remote authenticated users with certain permissions to execute arbitrary commands via vectors involving a CALL 'SYSTEM' statement, aka SAP Security Note 2260344.
network
low complexity
sap CWE-264
critical
9.0
2016-09-27 CVE-2016-6137 Remote Command Execution vulnerability in SAP Trex 7.10
An unspecified function in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands via unknown vectors, aka SAP Security Note 2203591.
network
low complexity
sap
critical
10.0
2016-08-05 CVE-2016-6147 OS Command Injection vulnerability in SAP Trex 7.10
An unspecified interface in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands with SIDadm privileges via unspecified vectors, aka SAP Security Note 2234226.
network
low complexity
sap CWE-78
critical
10.0