Vulnerabilities > SAP > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-14 | CVE-2022-31589 | Unspecified vulnerability in SAP products Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted. | 6.5 |
| 2022-06-14 | CVE-2022-32235 | Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated AutoCAD (.dwg, TeighaTranslator.exe) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 4.3 |
| 2022-06-14 | CVE-2022-29612 | Server-Side Request Forgery (SSRF) vulnerability in SAP Host Agent and Netweaver Abap SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. | 4.3 |
| 2022-06-13 | CVE-2022-28217 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system?s Availability by causing system to crash. | 6.5 |
| 2022-06-06 | CVE-2022-29617 | Improper Handling of Exceptional Conditions vulnerability in SAP Contributor License Agreement Assistant Due to improper error handling an authenticated user can crash CLA assistant instance. | 6.5 |
| 2022-05-11 | CVE-2022-29616 | Out-of-bounds Write vulnerability in SAP products SAP Host Agent, SAP NetWeaver and ABAP Platform allow an attacker to leverage logical errors in memory management to cause a memory corruption. | 5.0 |
| 2022-05-11 | CVE-2022-27656 | Cross-site Scripting vulnerability in SAP products The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
| 2022-05-11 | CVE-2022-28214 | Cleartext Storage of Sensitive Information vulnerability in SAP products During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. | 4.6 |
| 2022-05-11 | CVE-2022-28774 | Incorrect Authorization vulnerability in SAP Host Agent 7.22 Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted. | 5.5 |
| 2022-05-11 | CVE-2022-29613 | Improper Input Validation vulnerability in SAP Employee Self Service 605 Due to insufficient input validation, SAP Employee Self Service allows an authenticated attacker with user privileges to alter employee number. | 4.0 |