Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-10-08 CVE-2024-37179 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects Business Intelligence 2025/420/430
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application.
network
low complexity
sap CWE-434
6.5
2024-10-08 CVE-2024-45277 Unspecified vulnerability in SAP Hana-Client
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes.
network
low complexity
sap
4.3
2024-10-08 CVE-2024-45278 Cross-site Scripting vulnerability in SAP Commerce Backoffice 2205/2211
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
5.4
2024-10-08 CVE-2024-45282 Trusting HTTP Permission Methods on the Server Side vulnerability in SAP S/4 Hana
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method.
network
low complexity
sap CWE-650
5.3
2024-10-08 CVE-2024-47594 Cross-site Scripting vulnerability in SAP Netweaver Enterprise Portal 7.50
SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet.
network
low complexity
sap CWE-79
5.4
2024-09-10 CVE-2024-44112 Missing Authorization vulnerability in SAP OIL %/ GAS
Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table.
network
low complexity
sap CWE-862
4.3
2024-08-13 CVE-2024-39591 Missing Authorization vulnerability in SAP Document Builder
SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application.
network
low complexity
sap CWE-862
5.3
2024-08-13 CVE-2024-41734 Missing Authorization vulnerability in SAP Netweaver Application Server Abap
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information.
network
low complexity
sap CWE-862
4.3
2024-08-13 CVE-2024-42373 Missing Authorization vulnerability in SAP Student Life Cycle Management
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges.
network
low complexity
sap CWE-862
5.4
2024-08-13 CVE-2024-28166 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business Objects Business Intelligence Platform 430/440/Enterprise420
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application.
network
low complexity
sap CWE-434
4.3