Vulnerabilities > SAP > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-08 | CVE-2024-37179 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects Business Intelligence 2025/420/430 SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. | 6.5 |
| 2024-10-08 | CVE-2024-45277 | Unspecified vulnerability in SAP Hana-Client The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. | 4.3 |
| 2024-10-08 | CVE-2024-45278 | Cross-site Scripting vulnerability in SAP Commerce Backoffice 2205/2211 SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 5.4 |
| 2024-10-08 | CVE-2024-45282 | Trusting HTTP Permission Methods on the Server Side vulnerability in SAP S/4 Hana Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. | 5.3 |
| 2024-10-08 | CVE-2024-47594 | Cross-site Scripting vulnerability in SAP Netweaver Enterprise Portal 7.50 SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. | 5.4 |
| 2024-09-10 | CVE-2024-44112 | Missing Authorization vulnerability in SAP OIL %/ GAS Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. | 4.3 |
| 2024-08-13 | CVE-2024-39591 | Missing Authorization vulnerability in SAP Document Builder SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application. | 5.3 |
| 2024-08-13 | CVE-2024-41734 | Missing Authorization vulnerability in SAP Netweaver Application Server Abap Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. | 4.3 |
| 2024-08-13 | CVE-2024-42373 | Missing Authorization vulnerability in SAP Student Life Cycle Management SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. | 5.4 |
| 2024-08-13 | CVE-2024-28166 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business Objects Business Intelligence Platform 430/440/Enterprise420 SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. | 4.3 |