Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2023-02-14 CVE-2023-0020 Information Exposure vulnerability in SAP Businessobjects Business Intelligence Platform 420/430
SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted.
network
low complexity
sap CWE-200
7.1
2023-02-14 CVE-2023-24523 Exposure of Resource to Wrong Sphere vulnerability in SAP Host Agent 7.21/7.22
An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges.  The OS command can read or modify any user or system data and can make the system unavailable.
local
low complexity
sap CWE-668
8.8
2023-01-10 CVE-2023-0016 SQL Injection vulnerability in SAP Business Planning and Consolidation 800/810
SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries.
network
low complexity
sap CWE-89
8.8
2023-01-10 CVE-2023-0022 Code Injection vulnerability in SAP Businessobjects Business Intelligence Platform 420/430
SAP BusinessObjects Business Intelligence Analysis edition for OLAP allows an authenticated attacker to inject malicious code that can be executed by the application over the network.
network
low complexity
sap CWE-94
8.8
2022-12-13 CVE-2022-41272 Missing Authorization vulnerability in SAP Netweaver Process Integration 7.50
An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system.
network
low complexity
sap CWE-862
8.6
2022-12-13 CVE-2022-41264 Code Injection vulnerability in SAP Basis
Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker.
network
low complexity
sap CWE-94
8.8
2022-12-13 CVE-2022-41267 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business Objects Business Intelligence Platform 420/430
SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Objects server at the operating system level, enabling the attacker to take full control of the system causing a high impact on confidentiality, integrity, and availability of the application.
network
low complexity
sap CWE-434
8.8
2022-12-13 CVE-2022-41268 Improper Privilege Management vulnerability in SAP Business Planning and Consolidation
In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used.
network
high complexity
sap CWE-269
7.5
2022-11-08 CVE-2022-41203 Deserialization of Untrusted Data vulnerability in SAP Businessobjects Business Intelligence 4.2/4.3
In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters and substitute with another malicious serialized object, which leads to deserialization of untrusted data vulnerability.
network
low complexity
sap CWE-502
8.8
2022-11-08 CVE-2022-41211 Out-of-bounds Write vulnerability in SAP products
Due to lack of proper memory management, when a victim opens manipulated file received from untrusted sources in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer, Arbitrary Code Execution can be triggered when payload forces:Re-use of dangling pointer which refers to overwritten space in memory.
local
low complexity
sap CWE-787
7.8