Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2021-11-10 CVE-2021-40503 Insufficiently Protected Credentials vulnerability in SAP GUI for Windows
An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password.
local
low complexity
sap CWE-522
7.8
2021-10-12 CVE-2021-38178 Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap
The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates.
network
low complexity
sap
8.8
2021-10-12 CVE-2021-38181 Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap
SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
network
low complexity
sap
7.5
2021-10-12 CVE-2021-40500 XXE vulnerability in SAP Businessobjects Business Intelligence Platform 4.20/4.30
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data.
network
low complexity
sap CWE-611
7.5
2021-09-15 CVE-2021-33692 Path Traversal vulnerability in SAP Cloud Connector 2.0
SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup.
network
low complexity
sap CWE-22
7.5
2021-09-15 CVE-2021-33698 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business ONE 10.0
SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.
network
low complexity
sap CWE-434
8.8
2021-09-15 CVE-2021-33700 Improper Authentication vulnerability in SAP Business ONE 10.0
SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password.
local
low complexity
sap CWE-287
7.8
2021-09-15 CVE-2021-33704 Missing Authorization vulnerability in SAP Business ONE 10.0
The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users.
network
low complexity
sap CWE-862
8.8
2021-09-15 CVE-2021-33705 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Portal
The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g.
network
low complexity
sap CWE-918
8.1
2021-09-14 CVE-2021-37531 OS Command Injection vulnerability in SAP Netweaver Knowledge Management XML Forms
SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file.
network
low complexity
sap CWE-78
8.8