Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2023-09-12 CVE-2023-42472 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects Business Intelligence Platform 420
Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system into the report over the network.
network
low complexity
sap CWE-434
7.3
2023-08-15 CVE-2023-39438 Missing Authorization vulnerability in SAP Contributor License Agreement Assistant
A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps.
network
low complexity
sap CWE-862
8.1
2023-08-08 CVE-2023-33993 SQL Injection vulnerability in SAP Business ONE 10.0
B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data.
network
high complexity
sap CWE-89
7.5
2023-08-08 CVE-2023-36923 Code Injection vulnerability in SAP Powerdesigner 16.7
SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application.
local
low complexity
sap CWE-94
7.8
2023-08-08 CVE-2023-37486 Information Exposure Through Caching vulnerability in SAP Commerce Cloud and Commerce Hycom
Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted.
network
low complexity
sap CWE-524
7.5
2023-08-08 CVE-2023-37491 Incorrect Authorization vulnerability in SAP Message Server
The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server.
network
low complexity
sap CWE-863
8.8
2023-07-11 CVE-2023-33989 Path Traversal vulnerability in SAP Netweaver BI Content
An attacker with non-administrative authorizations in SAP NetWeaver (BI CONT ADD ON) - versions 707, 737, 747, 757, can exploit a directory traversal flaw to over-write system files.
network
low complexity
sap CWE-22
8.1
2023-07-11 CVE-2023-33990 Incorrect Permission Assignment for Critical Resource vulnerability in SAP SQL Anywhere 17.0
SAP SQL Anywhere - version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing the service.
local
low complexity
sap CWE-732
7.1
2023-07-11 CVE-2023-35870 Incorrect Permission Assignment for Critical Resource vulnerability in SAP S4Core
When creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource.
network
low complexity
sap CWE-732
7.3
2023-07-11 CVE-2023-35874 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity.
network
low complexity
sap CWE-306
7.4