Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-02-13 CVE-2024-22128 Cross-site Scripting vulnerability in SAP Netweaver Business Client for Html
SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2024-01-09 CVE-2024-21736 Incorrect Authorization vulnerability in SAP S/4Hana Finance 107/128
SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks.
network
low complexity
sap CWE-863
6.5
2024-01-09 CVE-2024-21738 Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.
network
low complexity
sap CWE-79
5.4
2024-01-09 CVE-2024-21734 Open Redirect vulnerability in SAP Marketing 160
SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.
network
low complexity
sap CWE-601
5.4
2023-12-12 CVE-2023-49577 Cross-site Scripting vulnerability in SAP Human Capital Management
The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2023-12-12 CVE-2023-49584 HTTP Request Smuggling vulnerability in SAP Fiori Launchpad
SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application.
network
low complexity
sap CWE-444
4.3
2023-12-12 CVE-2023-49587 Command Injection vulnerability in SAP Solution Manager 720
SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over the network.
network
low complexity
sap CWE-77
6.4
2023-12-12 CVE-2023-42476 Cross-site Scripting vulnerability in SAP Businessobjects web Intelligence 420
SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited.
network
low complexity
sap CWE-79
6.8
2023-12-12 CVE-2023-42479 Cross-site Scripting vulnerability in SAP Biller Direct 635/750
An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system.
network
low complexity
sap CWE-79
6.1
2023-12-12 CVE-2023-49058 Path Traversal vulnerability in SAP Master Data Governance
SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs.
network
low complexity
sap CWE-22
5.3