Vulnerabilities > SAP > Low
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-13 | CVE-2021-27600 | Cross-site Scripting vulnerability in SAP Manufacturing Execution SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. | 3.5 |
| 2021-01-12 | CVE-2021-21445 | HTTP Request Smuggling vulnerability in SAP Commerce Cloud SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. | 3.5 |
| 2021-01-12 | CVE-2021-21447 | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 410/420 SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting. | 3.5 |
| 2021-01-12 | CVE-2021-21448 | Unspecified vulnerability in SAP Graphical User Interface 7.60 SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. | 2.1 |
| 2021-01-12 | CVE-2021-21470 | XXE vulnerability in SAP Enterprise Performance Management 1010/2.8 SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. | 3.6 |
| 2020-12-09 | CVE-2020-26816 | Missing Encryption of Sensitive Data vulnerability in SAP Netweaver Application Server Java SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. | 2.7 |
| 2020-11-30 | CVE-2020-6317 | Information Exposure vulnerability in SAP Adaptive Server Enterprise 15.7/16.0 In certain situations, an attacker with regular user credentials and local access to an ASE cockpit installation can access sensitive information which appears in the installation log files. | 2.7 |
| 2020-11-10 | CVE-2020-26807 | Incorrect Default Permissions vulnerability in SAP ERP Client for E-Bilanz 1.0 SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder. | 2.1 |
| 2020-10-20 | CVE-2020-6370 | Cross-site Scripting vulnerability in SAP Netweaver Design Time Repository SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 3.5 |
| 2020-10-15 | CVE-2020-6272 | Cross-site Scripting vulnerability in SAP Commerce Cloud SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. | 3.5 |