Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2023-07-11 CVE-2023-36917 Improper Restriction of Excessive Authentication Attempts vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality.
network
low complexity
sap CWE-307
7.5
2023-07-11 CVE-2023-36921 Improper Encoding or Escaping of Output vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request.
network
low complexity
sap CWE-116
7.2
2023-07-11 CVE-2023-36922 OS Command Injection vulnerability in SAP Netweaver
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.
network
low complexity
sap CWE-78
8.8
2023-07-11 CVE-2023-36925 Server-Side Request Forgery (SSRF) vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests.
network
low complexity
sap CWE-918
7.2
2023-06-13 CVE-2023-33991 Cross-site Scripting vulnerability in SAP UI
SAP UI5 Variant Management - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability.
network
low complexity
sap CWE-79
8.2
2023-05-09 CVE-2023-30740 Information Exposure vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted.
network
low complexity
sap CWE-200
7.6
2023-05-09 CVE-2023-32111 Out-of-bounds Write vulnerability in SAP Powerdesigner Proxy 16.7
In SAP PowerDesigner (Proxy) - version 16.7, an attacker can send a crafted request from a remote host to the proxy machine and crash the proxy server, due to faulty implementation of memory management causing a memory corruption.
network
low complexity
sap CWE-787
7.5
2023-05-09 CVE-2023-28762 Unspecified vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction.
network
low complexity
sap
7.2
2023-03-14 CVE-2023-27271 Server-Side Request Forgery (SSRF) vulnerability in SAP Businessobjects Business Intelligence Platform 420/430
In SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own admintools, leading to a high impact on availability.
network
low complexity
sap CWE-918
7.5
2023-03-14 CVE-2023-27498 Stack-based Buffer Overflow vulnerability in SAP Host Agent 7.22
SAP Host Agent (SAPOSCOL) - version 7.22, allows an unauthenticated attacker with network access to a server port assigned to the SAP Start Service to submit a crafted request which results in a memory corruption error.
network
low complexity
sap CWE-121
7.2