Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2004-04-15 CVE-2003-1039 Remote Security vulnerability in Mysap Business Suite
Multiple buffer overflows in the mySAP.com architecture for SAP allow remote attackers to execute arbitrary code via a long HTTP Host header to (1) Message Server, (2) Web Dispatcher, or (3) Application Server.
network
low complexity
sap
7.5
2004-04-15 CVE-2003-1037 Remote Security vulnerability in Internet Transaction Server 4620.2.0.323011
Format string vulnerability in the WGate component for SAP Internet Transaction Server (ITS) allows remote attackers to execute arbitrary code via a high "trace level."
network
low complexity
sap
7.5
2004-04-15 CVE-2003-1036 Remote Security vulnerability in Internet Transaction Server 4620.2.0.323011
Multiple buffer overflows in the AGate component for SAP Internet Transaction Server (ITS) allow remote attackers to execute arbitrary code via long (1) ~command, (2) ~runtimemode, or (3) ~session parameters, or (4) a long HTTP Content-Type header.
network
low complexity
sap
7.5
2004-04-15 CVE-2003-1035 Unspecified vulnerability in SAP R 3 and Sapgui
The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does.
network
low complexity
sap
7.5
2004-04-15 CVE-2003-1033 Unspecified vulnerability in SAP DB 7.3.00/7.4
The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program.
local
low complexity
sap
7.2
2004-04-15 CVE-2002-1578 Unspecified vulnerability in SAP R 3
The default installation of SAP R/3, when using Oracle and SQL*net V2 3.x, 4.x, and 6.10, allows remote attackers to obtain arbitrary, sensitive SAP data by directly connecting to the Oracle database and executing queries against the database, which is not password-protected.
network
low complexity
sap
7.5
2004-04-15 CVE-2002-1577 Remote Security vulnerability in SAP R 3 2.0Bto4.6D
SAP R/3 2.0B to 4.6D installs several clients with default users and passwords, which allows remote attackers to gain privileges via the (1) SAP*, (2) SAPCPIC, (3) DDIC, (4) EARLYWATCH, or (5) TMSADM accounts.
network
low complexity
sap
7.5
2004-04-15 CVE-2002-1576 Symbolic Link vulnerability in SAP DB 7.3.00
lserver in SAP DB 7.3 and earlier uses the current working directory to find and execute the lserversrv program, which allows local users to gain privileges with a malicious lserversrv that is called from a directory that has a symlink to the lserver program.
local
low complexity
sap
7.2
2003-12-15 CVE-2003-0945 Remote Security vulnerability in Sap Db
The Web Database Manager in web-tools for SAP DB before 7.4.03.30 generates predictable session IDs, which allows remote attackers to conduct unauthorized activities.
network
low complexity
sap
7.5
2003-12-15 CVE-2003-0944 Remote Security vulnerability in Sap Db
Buffer overflow in the WAECHO default service in web-tools in SAP DB before 7.4.03.30 allows remote attackers to execute arbitrary code via a URL with a long requestURI.
network
low complexity
sap
7.5