Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2016-08-05 CVE-2016-6138 Path Traversal vulnerability in SAP Trex 7.10
Directory traversal vulnerability in SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591.
network
low complexity
sap CWE-22
critical
10.0
2016-05-13 CVE-2010-5326 Remote Code Execution vulnerability in SAP Netweaver Invoker Servlet
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
network
low complexity
sap
critical
10.0
2016-04-14 CVE-2016-4014 XML External Entity Injection vulnerability in SAP Netweaver 7.4
XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.
network
low complexity
sap
critical
9.0
2016-01-08 CVE-2015-8753 Permissions, Privileges, and Access Controls vulnerability in SAP Afaria 7.0.6001.5
SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization checks and wipe or lock mobile devices via a crafted request, related to "Insecure signature," aka SAP Security Note 2134905.
network
low complexity
sap CWE-264
critical
9.4
2015-11-10 CVE-2015-7828 Improper Input Validation vulnerability in SAP Hana
SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583.
network
low complexity
sap CWE-20
critical
10.0
2015-10-15 CVE-2015-7730 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP products
SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108.
network
low complexity
sap CWE-119
critical
10.0
2015-07-16 CVE-2015-3621 Improper Input Validation vulnerability in SAP Enterprise Central Component
Untrusted search path vulnerability in SAP Enterprise Central Component (ECC) allows local users to gain privileges via a Trojan horse program.
network
sap CWE-20
critical
9.3
2014-12-17 CVE-2014-9387 Permissions, Privileges, and Access Controls vulnerability in SAP Businessobjects 4.1
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.
network
low complexity
sap CWE-264
critical
10.0
2014-11-19 CVE-2013-3678 Security vulnerability in SAP GRC
Multiple unspecified vulnerabilities in SAP Governance, Risk, and Compliance (GRC) allow remote authenticated users to gain privileges and execute arbitrary programs via a crafted (1) RFC or (2) SOAP-RFC request.
network
low complexity
sap
critical
9.0
2014-11-06 CVE-2014-8669 Code Injection vulnerability in SAP Customer Relationship Management
The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors.
network
low complexity
sap CWE-94
critical
10.0