Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2024-08-13 CVE-2024-42374 XML Injection (aka Blind XPath Injection) vulnerability in SAP BEX web Java Runtime Export web Service
BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source.
network
low complexity
sap CWE-91
8.2
2024-07-09 CVE-2024-39598 Server-Side Request Forgery (SSRF) vulnerability in SAP products
SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests.
network
low complexity
sap CWE-918
7.7
2024-06-11 CVE-2024-34688 Unspecified vulnerability in SAP Netweaver Application Server Java Mmrserver7.5
Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it.
network
low complexity
sap
7.5
2024-02-13 CVE-2024-22129 Cross-site Scripting vulnerability in SAP Companion
SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack.
network
low complexity
sap CWE-79
7.6
2024-02-13 CVE-2024-22131 Code Injection vulnerability in SAP Abap Platform
In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface.
network
low complexity
sap CWE-94
7.2
2024-02-13 CVE-2024-24743 XXE vulnerability in SAP Netweaver Application Server Java 7.50
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them.
network
low complexity
sap CWE-611
7.5
2024-02-13 CVE-2024-25642 Improper Certificate Validation vulnerability in SAP Cloud Connector 2.0
Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication.
network
high complexity
sap CWE-295
7.4
2024-02-13 CVE-2024-22126 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.50
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL.
network
low complexity
sap CWE-79
8.8
2024-01-09 CVE-2024-22124 Unspecified vulnerability in SAP Netweaver
Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality.
network
low complexity
sap
7.5
2024-01-09 CVE-2024-22125 Unspecified vulnerability in SAP GUI Connector 1.0
Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality.
network
low complexity
sap
7.5