Vulnerabilities > SAP > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-11 | CVE-2023-27499 | Cross-site Scripting vulnerability in SAP Netweaver and Netweaver Application Server Abap SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
| 2023-04-11 | CVE-2023-27897 | Code Injection vulnerability in SAP Customer Relationship Management In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. | 6.3 |
| 2023-04-11 | CVE-2023-28761 | Missing Authentication for Critical Function vulnerability in SAP Netweaver Enterprise Portal 7.50 In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity. | 6.5 |
| 2023-04-11 | CVE-2023-28763 | Unspecified vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. | 6.5 |
| 2023-04-11 | CVE-2023-29108 | Unspecified vulnerability in SAP Abap Platform Kernel and web Dispatcher The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. | 5.3 |
| 2023-04-11 | CVE-2023-29109 | Improper Neutralization of Formula Elements in a CSV File vulnerability in SAP products The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. | 4.6 |
| 2023-03-14 | CVE-2023-27894 | Information Exposure vulnerability in SAP Businessobjects Business Intelligence 420/430 SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. | 5.3 |
| 2023-03-14 | CVE-2023-27895 | Privilege Defined With Unsafe Actions vulnerability in SAP Authenticator 1.3.0 SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. | 6.5 |
| 2023-03-14 | CVE-2023-0021 | Cross-site Scripting vulnerability in SAP Netweaver Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. | 6.1 |
| 2023-03-14 | CVE-2023-24526 | Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java 7.50 SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. | 5.3 |