Vulnerabilities > SAP > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-08 | CVE-2019-0370 | XML Injection (aka Blind XPath Injection) vulnerability in SAP Financial Consolidation 10.0/10.1 Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection. | 6.4 |
| 2019-10-08 | CVE-2019-0367 | Missing Authorization vulnerability in SAP Netweaver Process Integration 1.0/2.0 SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check. | 4.0 |
| 2019-09-10 | CVE-2019-0364 | Unspecified vulnerability in SAP Hana Extended Application Services 1.0 Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open ports. | 4.0 |
| 2019-09-10 | CVE-2019-0363 | Unspecified vulnerability in SAP Hana Extended Application Services 1.0 Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network ports. | 5.5 |
| 2019-09-10 | CVE-2019-0361 | Cross-site Scripting vulnerability in SAP Supplier Relationship Management 3.73/7.31/7.32 SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
| 2019-09-10 | CVE-2019-0356 | Unspecified vulnerability in SAP Netweaver Process Integration 7.31/7.40/7.50 Under certain conditions SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIAF (before versions 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | 4.0 |
| 2019-09-10 | CVE-2019-0355 | Code Injection vulnerability in SAP Netweaver Application Server Java SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. | 6.5 |
| 2019-09-10 | CVE-2019-0352 | Information Exposure vulnerability in SAP Businessobjects Business Intelligence Platform 4.10/4.20/4.30 In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout. | 5.0 |
| 2019-08-14 | CVE-2019-0349 | Missing Authorization vulnerability in SAP Advanced Business Application Programming Platform Kernel SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check | 6.5 |
| 2019-08-14 | CVE-2019-0351 | Unspecified vulnerability in SAP Netweaver A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. | 6.5 |