Vulnerabilities > SAP > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-12 | CVE-2021-40496 | Exposure of Resource to Wrong Sphere vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. | 4.3 |
| 2021-10-12 | CVE-2021-40497 | Exposure of Resource to Wrong Sphere vulnerability in SAP Businessobjects Analysis 420/430 SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. | 5.0 |
| 2021-10-12 | CVE-2021-40500 | XXE vulnerability in SAP Businessobjects Business Intelligence Platform 4.20/4.30 SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. | 5.0 |
| 2021-09-15 | CVE-2021-33690 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Development Infrastructure Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. | 6.5 |
| 2021-09-15 | CVE-2021-33691 | Cross-site Scripting vulnerability in SAP Netweaver Development Infrastructure 7.31/7.40/7.50 NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. | 4.3 |
| 2021-09-15 | CVE-2021-33692 | Path Traversal vulnerability in SAP Cloud Connector 2.0 SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. | 5.0 |
| 2021-09-15 | CVE-2021-33695 | Improper Certificate Validation vulnerability in SAP Cloud Connector 2.0 Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate. | 6.4 |
| 2021-09-15 | CVE-2021-33697 | Improper Privilege Management vulnerability in SAP Businessobjects Business Intelligence 420/430 Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | 5.8 |
| 2021-09-15 | CVE-2021-33698 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business ONE 10.0 SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. | 6.5 |
| 2021-09-15 | CVE-2021-33700 | Improper Authentication vulnerability in SAP Business ONE 10.0 SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. | 4.6 |