Vulnerabilities > SAP > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-14 | CVE-2023-27500 | Path Traversal vulnerability in SAP Netweaver Application Server Abap An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. | 8.1 |
| 2023-03-14 | CVE-2023-27896 | Server-Side Request Forgery (SSRF) vulnerability in SAP Businessobjects Business Intelligence 420/430 In SAP BusinessObjects Business Intelligence Platform - version 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own CMS, leading to a high impact on availability. | 7.5 |
| 2023-03-14 | CVE-2023-23857 | Improper Authentication vulnerability in SAP Netweaver Application Server for Java 7.50 Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. | 8.6 |
| 2023-03-14 | CVE-2023-25616 | Injection vulnerability in SAP Business Objects Business Intelligence Platform 420/430 In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. | 8.8 |
| 2023-03-14 | CVE-2023-25617 | OS Command Injection vulnerability in SAP Business Objects Business Intelligence Platform 420/430 SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. | 8.8 |
| 2023-03-14 | CVE-2023-26459 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Abap Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability. | 7.4 |
| 2023-02-14 | CVE-2023-0020 | Information Exposure vulnerability in SAP Businessobjects Business Intelligence Platform 420/430 SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. | 7.1 |
| 2023-02-14 | CVE-2023-24523 | Exposure of Resource to Wrong Sphere vulnerability in SAP Host Agent 7.21/7.22 An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable. | 8.8 |
| 2023-01-10 | CVE-2023-0016 | SQL Injection vulnerability in SAP Business Planning and Consolidation 800/810 SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. | 8.8 |
| 2023-01-10 | CVE-2023-0022 | Code Injection vulnerability in SAP Businessobjects Business Intelligence Platform 420/430 SAP BusinessObjects Business Intelligence Analysis edition for OLAP allows an authenticated attacker to inject malicious code that can be executed by the application over the network. | 8.8 |