Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-10-08 CVE-2019-0376 Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence Platform 4.0/4.1/4.2
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting.
network
low complexity
sap CWE-79
5.4
2019-10-08 CVE-2019-0375 Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence Platform 4.0/4.1/4.2
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site Scripting.
network
low complexity
sap CWE-79
5.4
2019-10-08 CVE-2019-0374 Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence Platform 4.0/4.1/4.2
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting
network
low complexity
sap CWE-79
5.4
2019-10-08 CVE-2019-0370 XML Injection (aka Blind XPath Injection) vulnerability in SAP Financial Consolidation 10.0/10.1
Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.
network
low complexity
sap CWE-91
6.5
2019-10-08 CVE-2019-0369 Cross-site Scripting vulnerability in SAP Financial Consolidation 10.0/10.1
SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability.
network
low complexity
sap CWE-79
5.4
2019-10-08 CVE-2019-0368 Cross-site Scripting vulnerability in SAP products
SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.
network
low complexity
sap CWE-79
5.4
2019-10-08 CVE-2019-0367 Missing Authorization vulnerability in SAP Netweaver Process Integration 1.0/2.0
SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check.
network
low complexity
sap CWE-862
4.3
2019-09-10 CVE-2019-0364 Unspecified vulnerability in SAP Hana Extended Application Services 1.0
Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open ports.
network
low complexity
sap
4.3
2019-09-10 CVE-2019-0361 Cross-site Scripting vulnerability in SAP Supplier Relationship Management 3.73/7.31/7.32
SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2019-09-10 CVE-2019-0357 Unspecified vulnerability in SAP Hana 1.0/2.0
The administrator of SAP HANA database, before versions 1.0 and 2.0, can misuse HANA to execute commands with operating system "root" privileges.
local
low complexity
sap
6.7