Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-07-09 CVE-2024-34689 Server-Side Request Forgery (SSRF) vulnerability in SAP Business Workflow and SAP Basis
WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests.
network
low complexity
sap CWE-918
5.0
2024-07-09 CVE-2024-34692 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Enable NOW
Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files.
network
low complexity
sap CWE-434
4.6
2024-07-09 CVE-2024-37171 Server-Side Request Forgery (SSRF) vulnerability in SAP Saptmui and Transportation Management
SAP Transportation Management (Collaboration Portal) allows an attacker with non-administrative privileges to send a crafted request from a vulnerable web application.
network
low complexity
sap CWE-918
5.0
2024-07-09 CVE-2024-37172 Missing Authorization vulnerability in SAP S4Core 107/108
SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
5.4
2024-07-09 CVE-2024-37175 Missing Authorization vulnerability in SAP products
SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
6.5
2024-07-09 CVE-2024-34685 Cross-site Scripting vulnerability in SAP Netweaver Knowledge Management and Collaboration (Kmc-Cm) 7.50
Due to weak encoding of user-controlled input in SAP NetWeaver Knowledge Management XMLEditor which allows malicious scripts can be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2024-07-09 CVE-2024-37173 Cross-site Scripting vulnerability in SAP products
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script.
network
low complexity
sap CWE-79
6.1
2024-07-09 CVE-2024-37174 Cross-site Scripting vulnerability in SAP products
Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability.
network
low complexity
sap CWE-79
6.1
2024-07-09 CVE-2024-39592 Missing Authorization vulnerability in SAP S4Core and S4Coreop
Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.
network
low complexity
sap CWE-862
6.5
2024-07-09 CVE-2024-39593 Unspecified vulnerability in SAP Landscape Management 3.0
SAP Landscape Management allows an authenticated user to read confidential data disclosed by the REST Provider Definition response.
network
low complexity
sap
5.7