Vulnerabilities > SAP > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-03-01 | CVE-2018-2368 | Missing Authentication for Critical Function vulnerability in SAP Netweaver System Landscape Directory SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity. | 7.5 |
| 2018-02-14 | CVE-2018-2376 | Unspecified vulnerability in SAP Hana Extended Application Services 1.0 In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve application environments within that space. | 8.1 |
| 2018-02-14 | CVE-2018-2375 | Unspecified vulnerability in SAP Hana Extended Application Services 1.0 In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve application environments within that space. | 8.1 |
| 2018-02-14 | CVE-2018-2373 | Unspecified vulnerability in SAP Hana Extended Application Services 1.0 Under certain circumstances, a specific endpoint of the Controller's API could be misused by unauthenticated users to execute SQL statements that deliver information about system configuration in SAP HANA Extended Application Services, 1.0. | 7.5 |
| 2017-12-12 | CVE-2017-16684 | Improper Authentication vulnerability in SAP Business Intelligence Promotion Management Application 4.10/4.20/4.30 SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity. | 7.5 |
| 2017-12-12 | CVE-2017-16680 | Injection vulnerability in SAP Hana Extended Application Services 1.0 Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines. | 7.5 |
| 2017-09-06 | CVE-2015-7241 | XXE vulnerability in SAP Netweaver 4.0/6.4/7.0 XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | 7.5 |
| 2017-08-07 | CVE-2017-12637 | Path Traversal vulnerability in SAP Netweaver Application Server Java 7.50 Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. | 7.5 |
| 2017-07-25 | CVE-2017-11459 | Code Injection vulnerability in SAP Trex 7.10 SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592. | 7.5 |
| 2017-07-12 | CVE-2017-9845 | Resource Exhaustion vulnerability in SAP Netweaver 7.40 disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918. | 7.8 |