Vulnerabilities > SAP > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-05-23 | CVE-2017-8914 | Unspecified vulnerability in SAP Hana XS 1.00/2.00 sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. | 8.3 |
| 2017-05-23 | CVE-2017-8913 | XXE vulnerability in SAP Netweaver Application Server Java 7.50 The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | 8.8 |
| 2017-05-10 | CVE-2017-8852 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP Sapcar 721.510 SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability. | 7.8 |
| 2017-04-14 | CVE-2017-7717 | SQL Injection vulnerability in SAP Netweaver Application Server Java 7.40 SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. | 8.8 |
| 2017-04-14 | CVE-2017-7696 | Allocation of Resources Without Limits or Throttling vulnerability in SAP SSO Authentication Library 2.0/3.0 SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042. | 7.5 |
| 2017-02-15 | CVE-2017-5997 | Missing Release of Resource after Effective Lifetime vulnerability in SAP Kernel 7.21/7.22/7.42 The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972. | 7.5 |
| 2017-02-01 | CVE-2016-10079 | Improper Input Validation vulnerability in SAP Saplpd 7400.3.11.33 SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515. | 7.5 |
| 2017-01-23 | CVE-2017-5372 | Information Exposure vulnerability in SAP Netweaver The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908. | 7.5 |
| 2016-12-19 | CVE-2016-10005 | Information Exposure vulnerability in SAP Solution Manager 7.1/7.20/7.31 Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to obtain sensitive information via webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd requests, aka SAP Security Note 2344524. | 7.5 |
| 2016-11-23 | CVE-2016-9562 | NULL Pointer Dereference vulnerability in SAP Netweaver Application Server Java 7.40 SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835. | 7.5 |