Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-02-14 CVE-2018-2370 Server-Side Request Forgery (SSRF) vulnerability in SAP BI Launchpad 4.10/4.20/4.30
Server Side Request Forgery (SSRF) vulnerability in SAP Central Management Console, BI Launchpad and Fiori BI Launchpad, 4.10, from 4.20, from 4.30, could allow a malicious user to use common techniques to determine which ports are in use on the backend server.
network
low complexity
sap CWE-918
5.3
2018-02-14 CVE-2018-2369 Unspecified vulnerability in SAP Hana 1.00/2.00
Under certain conditions SAP HANA, 1.00, 2.00, allows an unauthenticated attacker to access information which would otherwise be restricted.
network
low complexity
sap
5.3
2018-02-14 CVE-2018-2364 Cross-site Scripting vulnerability in SAP products
SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2018-01-09 CVE-2018-2362 Unspecified vulnerability in SAP Hana 1.00/2.00
A remote unauthenticated attacker, SAP HANA 1.00 and 2.00, could send specially crafted SOAP requests to the SAP Startup Service and disclose information such as the platform's hostname.
network
low complexity
sap
5.3
2017-12-12 CVE-2017-16691 Improper Input Validation vulnerability in SAP Business Application Software Integrated Solution
SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'.
network
low complexity
sap CWE-20
6.5
2017-12-12 CVE-2017-16687 Information Exposure vulnerability in SAP Hana Database 1.00/2.00
The user self-service tools of SAP HANA extended application services, classic user self-service, a part of SAP HANA Database versions 1.00 and 2.00, can be misused to enumerate valid and invalid user accounts.
network
low complexity
sap CWE-200
5.3
2017-12-12 CVE-2017-16685 Cross-site Scripting vulnerability in SAP Business Warehouse Universal Data Integration
Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data Integration, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to insufficient encoding of user controlled inputs.
network
low complexity
sap CWE-79
6.1
2017-12-12 CVE-2017-16683 Unspecified vulnerability in SAP Businessobjects 4.10/4.20
Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service.
network
low complexity
sap
6.5
2017-12-12 CVE-2017-16681 Cross-site Scripting vulnerability in SAP Business Intelligence Promotion Management Application 4.10/4.20/4.30
Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, 4.30, as user controlled inputs are not sufficiently encoded.
network
low complexity
sap CWE-79
6.1
2017-12-12 CVE-2017-16679 Open Redirect vulnerability in SAP Kernel
URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site.
network
low complexity
sap CWE-601
6.1