Vulnerabilities > SAP > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-10 | CVE-2023-0012 | Improper Access Control vulnerability in SAP Host Agent 7.21/7.22 In SAP Host Agent (Windows) - versions 7.21, 7.22, an attacker who gains local membership to SAP_LocalAdmin could be able to replace executables with a malicious file that will be started under a privileged account. | 6.7 |
| 2023-01-10 | CVE-2023-0013 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 6.1 |
| 2022-12-13 | CVE-2022-41273 | Open Redirect vulnerability in SAP Contract Lifecycle Manager and Sourcing Due to improper input sanitization in SAP Sourcing and SAP Contract Lifecycle Management - version 1100, an attacker can redirect a user to a malicious website. | 6.1 |
| 2022-12-13 | CVE-2022-41274 | Incorrect Authorization vulnerability in SAP Disclosure Management 10.1 SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. | 6.5 |
| 2022-12-13 | CVE-2022-41275 | Open Redirect vulnerability in SAP Solution Manager 740/750 In SAP Solution Manager (Enterprise Search) - versions 740, and 750, an unauthenticated attacker can generate a link that, if clicked by a logged-in user, can be redirected to a malicious page that could read or modify sensitive information, or expose the user to a phishing attack, with little impact on confidentiality and integrity. | 6.1 |
| 2022-12-13 | CVE-2022-41266 | Cross-site Scripting vulnerability in SAP Commerce Webservices 2.0 Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. | 6.1 |
| 2022-12-12 | CVE-2022-41261 | Unspecified vulnerability in SAP Solution Manager 7.20 SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. | 5.5 |
| 2022-12-12 | CVE-2022-41262 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.50 Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. | 6.1 |
| 2022-12-12 | CVE-2022-41263 | Cross-Site Request Forgery (CSRF) vulnerability in SAP Business Objects Business Intelligence Platform 420/430 Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. | 4.3 |
| 2022-12-12 | CVE-2022-31596 | Unspecified vulnerability in SAP Business Objects Business Intelligence Platform 430 Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Network in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) - version 430, can access BOE Monitoring database to retrieve and modify (non-personal) system data which would otherwise be restricted. | 6.0 |