Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2018-03-01 CVE-2018-2368 Missing Authentication for Critical Function vulnerability in SAP Netweaver System Landscape Directory
SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity.
network
low complexity
sap CWE-306
7.5
2018-02-14 CVE-2018-2376 Unspecified vulnerability in SAP Hana Extended Application Services 1.0
In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve application environments within that space.
network
low complexity
sap
8.1
2018-02-14 CVE-2018-2375 Unspecified vulnerability in SAP Hana Extended Application Services 1.0
In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve application environments within that space.
network
low complexity
sap
8.1
2018-02-14 CVE-2018-2373 Unspecified vulnerability in SAP Hana Extended Application Services 1.0
Under certain circumstances, a specific endpoint of the Controller's API could be misused by unauthenticated users to execute SQL statements that deliver information about system configuration in SAP HANA Extended Application Services, 1.0.
network
low complexity
sap
7.5
2017-12-12 CVE-2017-16684 Improper Authentication vulnerability in SAP Business Intelligence Promotion Management Application 4.10/4.20/4.30
SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity.
network
low complexity
sap CWE-287
7.5
2017-12-12 CVE-2017-16680 Injection vulnerability in SAP Hana Extended Application Services 1.0
Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines.
network
low complexity
sap CWE-74
7.5
2017-09-06 CVE-2015-7241 XXE vulnerability in SAP Netweaver 4.0/6.4/7.0
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
network
low complexity
sap CWE-611
7.5
2017-08-07 CVE-2017-12637 Path Traversal vulnerability in SAP Netweaver Application Server Java 7.50
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a ..
network
low complexity
sap CWE-22
7.5
2017-07-25 CVE-2017-11459 Code Injection vulnerability in SAP Trex 7.10
SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592.
network
low complexity
sap CWE-94
7.5
2017-07-12 CVE-2017-9845 Resource Exhaustion vulnerability in SAP Netweaver 7.40
disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918.
network
low complexity
sap CWE-400
7.8