Vulnerabilities > SAP > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-13 | CVE-2024-42374 | XML Injection (aka Blind XPath Injection) vulnerability in SAP BEX web Java Runtime Export web Service BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. | 8.2 |
| 2024-07-09 | CVE-2024-39598 | Server-Side Request Forgery (SSRF) vulnerability in SAP products SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. | 7.7 |
| 2024-06-11 | CVE-2024-34688 | Unspecified vulnerability in SAP Netweaver Application Server Java Mmrserver7.5 Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. | 7.5 |
| 2024-02-13 | CVE-2024-22129 | Cross-site Scripting vulnerability in SAP Companion SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. | 7.6 |
| 2024-02-13 | CVE-2024-22131 | Code Injection vulnerability in SAP Abap Platform In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. | 7.2 |
| 2024-02-13 | CVE-2024-24743 | XXE vulnerability in SAP Netweaver Application Server Java 7.50 SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. | 7.5 |
| 2024-02-13 | CVE-2024-25642 | Improper Certificate Validation vulnerability in SAP Cloud Connector 2.0 Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. | 7.4 |
| 2024-02-13 | CVE-2024-22126 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.50 The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. | 8.8 |
| 2024-01-09 | CVE-2024-22124 | Unspecified vulnerability in SAP Netweaver Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality. | 7.5 |
| 2024-01-09 | CVE-2024-22125 | Unspecified vulnerability in SAP GUI Connector 1.0 Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality. | 7.5 |