Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2023-07-11 CVE-2023-35874 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity.
network
low complexity
sap CWE-306
7.4
2023-07-11 CVE-2023-36917 Improper Restriction of Excessive Authentication Attempts vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality.
network
low complexity
sap CWE-307
7.5
2023-07-11 CVE-2023-36921 Improper Encoding or Escaping of Output vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request.
network
low complexity
sap CWE-116
7.2
2023-07-11 CVE-2023-36922 OS Command Injection vulnerability in SAP Netweaver
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.
network
low complexity
sap CWE-78
8.8
2023-07-11 CVE-2023-36925 Server-Side Request Forgery (SSRF) vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests.
network
low complexity
sap CWE-918
7.2
2023-06-13 CVE-2023-33991 Cross-site Scripting vulnerability in SAP UI
SAP UI5 Variant Management - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability.
network
low complexity
sap CWE-79
8.2
2023-05-09 CVE-2023-30740 Information Exposure vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted.
network
low complexity
sap CWE-200
7.6
2023-05-09 CVE-2023-32111 Out-of-bounds Write vulnerability in SAP Powerdesigner Proxy 16.7
In SAP PowerDesigner (Proxy) - version 16.7, an attacker can send a crafted request from a remote host to the proxy machine and crash the proxy server, due to faulty implementation of memory management causing a memory corruption.
network
low complexity
sap CWE-787
7.5
2023-05-09 CVE-2023-28762 Unspecified vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction.
network
low complexity
sap
7.2
2023-04-11 CVE-2023-26458 Exposure of Resource to Wrong Sphere vulnerability in SAP Landscape Management 3.0
An information disclosure vulnerability exists in SAP Landscape Management - version 3.0, enterprise edition.
network
low complexity
sap CWE-668
8.7