Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-07-10 CVE-2019-0329 Cross-site Scripting vulnerability in SAP Information Steward 4.2
SAP Information Steward, version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2019-07-10 CVE-2019-0326 Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3
SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2019-07-10 CVE-2019-0325 Missing Authorization vulnerability in SAP ERP HCM 3.0
SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area.
network
high complexity
sap CWE-862
4.2
2019-07-10 CVE-2019-0321 Cross-site Scripting vulnerability in SAP products
ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2019-07-10 CVE-2019-0318 Unspecified vulnerability in SAP Netweaver Application Server Java
Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.
network
high complexity
sap
5.3
2019-07-10 CVE-2019-0281 Cross-site Scripting vulnerability in SAP Openui5
SAPUI5 and OpenUI5, before versions 1.38.39, 1.44.39, 1.52.25, 1.60.6 and 1.63.0, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2019-06-14 CVE-2019-0316 Cross-site Scripting vulnerability in SAP Netweaver Process Integration
SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.
network
low complexity
sap CWE-79
4.8
2019-06-14 CVE-2019-0303 Cross-site Scripting vulnerability in SAP Businessobjects 4.2/4.3
SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation.
network
low complexity
sap CWE-79
6.1
2019-06-12 CVE-2019-0314 Unspecified vulnerability in SAP Inventory Manager and Work Manager
SAP Work Manager, versions: 6.3, 6.4, 6.5 and SAP Inventory Manager, version 4.3, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
local
low complexity
sap
5.5
2019-06-12 CVE-2019-0312 Missing Authentication for Critical Function vulnerability in SAP Netweaver Process Integration
Several web pages provided SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 and SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50) are not password protected.
network
low complexity
sap CWE-306
5.3