Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-02-05 CVE-2011-1517 Unspecified vulnerability in SAP Netweaver 7.0
SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function.
network
low complexity
sap
critical
9.8
2020-01-23 CVE-2013-1592 Classic Buffer Overflow vulnerability in SAP Netweaver
A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code.
network
low complexity
sap CWE-120
critical
9.8
2019-12-11 CVE-2019-0403 Improper Neutralization of Formula Elements in a CSV File vulnerability in SAP Enable NOW 10/1902/1908
SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection.
network
low complexity
sap CWE-1236
critical
9.8
2019-08-14 CVE-2019-0345 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.
network
low complexity
sap CWE-918
critical
9.8
2019-08-14 CVE-2019-0344 Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.
network
low complexity
sap CWE-502
critical
9.8
2019-07-10 CVE-2019-0330 Code Injection vulnerability in SAP Diagnostics Agent 7.20
The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application.
network
low complexity
sap CWE-94
critical
9.1
2019-06-12 CVE-2019-0304 Injection vulnerability in SAP products
FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, allows an attacker to inject code or specifically manipulated command that can be executed by the application.
network
low complexity
sap CWE-74
critical
9.8
2019-04-10 CVE-2019-0285 Cleartext Storage of Sensitive Information vulnerability in SAP Crystal Reports 2010
The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker.
network
low complexity
sap CWE-312
critical
9.8
2019-02-15 CVE-2019-0261 Missing Authentication for Critical Function vulnerability in SAP Landscape Management 3.0
Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users.
network
low complexity
sap CWE-306
critical
9.8
2019-02-15 CVE-2019-0259 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects 4.2/4.3
SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation.
network
low complexity
sap CWE-434
critical
9.8