Vulnerabilities > SAP > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-02-09 | CVE-2021-21474 | Inadequate Encryption Strength vulnerability in SAP Hana Database 1.00/2.00 SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML Assertion issued for an SAP HANA instance might be able to tamper with it and alter it in a way that the digest continues to be the same and without invalidating the digital signature, this allows them to impersonate as user in HANA database and be able to read the contents in the database. | 6.5 |
| 2021-02-09 | CVE-2021-21444 | Improper Restriction of Rendered UI Layers or Frames vulnerability in SAP Businessobjects Business Intelligence 410/420/430 SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. | 6.1 |
| 2021-01-12 | CVE-2021-21471 | Unspecified vulnerability in SAP Cla-Assistant In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. | 6.5 |
| 2021-01-12 | CVE-2021-21470 | XXE vulnerability in SAP Enterprise Performance Management 1010/2.8 SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. | 4.4 |
| 2021-01-12 | CVE-2021-21468 | Missing Authorization vulnerability in SAP Business Warehouse The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table. | 6.5 |
| 2021-01-12 | CVE-2021-21467 | Missing Authorization vulnerability in SAP Banking Services SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | 4.3 |
| 2021-01-12 | CVE-2021-21464 | Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9 SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | 4.3 |
| 2021-01-12 | CVE-2021-21448 | Unspecified vulnerability in SAP Graphical User Interface 7.60 SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. | 6.5 |
| 2021-01-12 | CVE-2021-21447 | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 410/420 SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting. | 5.4 |
| 2021-01-12 | CVE-2021-21445 | HTTP Request Smuggling vulnerability in SAP Commerce Cloud SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. | 5.4 |