Vulnerabilities > SAP > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-13 | CVE-2022-41272 | Missing Authorization vulnerability in SAP Netweaver Process Integration 7.50 An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. | 8.6 |
2022-12-13 | CVE-2022-41264 | Code Injection vulnerability in SAP Basis Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. | 8.8 |
2022-12-13 | CVE-2022-41267 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business Objects Business Intelligence Platform 420/430 SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Objects server at the operating system level, enabling the attacker to take full control of the system causing a high impact on confidentiality, integrity, and availability of the application. | 8.8 |
2022-12-13 | CVE-2022-41268 | Improper Privilege Management vulnerability in SAP Business Planning and Consolidation In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. | 7.5 |
2022-11-08 | CVE-2022-41203 | Deserialization of Untrusted Data vulnerability in SAP Businessobjects Business Intelligence 4.2/4.3 In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters and substitute with another malicious serialized object, which leads to deserialization of untrusted data vulnerability. | 8.8 |
2022-11-08 | CVE-2022-41211 | Out-of-bounds Write vulnerability in SAP products Due to lack of proper memory management, when a victim opens manipulated file received from untrusted sources in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer, Arbitrary Code Execution can be triggered when payload forces:Re-use of dangling pointer which refers to overwritten space in memory. | 7.8 |
2022-11-08 | CVE-2022-41214 | Improper Input Validation vulnerability in SAP Netweaver Application Server Abap Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. | 8.7 |
2022-10-11 | CVE-2022-39013 | Unspecified vulnerability in SAP Business Objects Business Intelligence Platform 420/430 Under certain conditions an authenticated attacker can get access to OS credentials. | 7.6 |
2022-10-11 | CVE-2022-39802 | Path Traversal vulnerability in SAP Manufacturing Execution 15.1/15.2/15.3 SAP Manufacturing Execution - versions 15.1, 15.2, 15.3, allows an attacker to exploit insufficient validation of a file path request parameter. | 7.5 |
2022-10-11 | CVE-2022-39803 | Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Author 9.0 Due to lack of proper memory management, when a victim opens a manipulated ACIS Part and Assembly (.sat, CoreCadTranslator.exe) file received from untrusted sources in SAP 3D Visual Enterprise Author - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | 7.8 |