Vulnerabilities > SAP > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-10 | CVE-2021-40503 | Insufficiently Protected Credentials vulnerability in SAP GUI for Windows An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. | 7.8 |
| 2021-10-12 | CVE-2021-38178 | Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. | 8.8 |
| 2021-10-12 | CVE-2021-38181 | Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | 7.5 |
| 2021-10-12 | CVE-2021-40500 | XXE vulnerability in SAP Businessobjects Business Intelligence Platform 4.20/4.30 SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. | 7.5 |
| 2021-09-15 | CVE-2021-33692 | Path Traversal vulnerability in SAP Cloud Connector 2.0 SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. | 7.5 |
| 2021-09-15 | CVE-2021-33698 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business ONE 10.0 SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. | 8.8 |
| 2021-09-15 | CVE-2021-33700 | Improper Authentication vulnerability in SAP Business ONE 10.0 SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. | 7.8 |
| 2021-09-15 | CVE-2021-33704 | Missing Authorization vulnerability in SAP Business ONE 10.0 The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. | 8.8 |
| 2021-09-15 | CVE-2021-33705 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Portal The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. | 8.1 |
| 2021-09-14 | CVE-2021-37531 | OS Command Injection vulnerability in SAP Netweaver Knowledge Management XML Forms SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. | 8.8 |