Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-12-12 CVE-2017-16678 Server-Side Request Forgery (SSRF) vulnerability in SAP products
Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application.
network
low complexity
sap CWE-918
4.7
2017-12-03 CVE-2017-14516 Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation
Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Consolidation before 2017-06-13, aka SAP Security Note 2422292.
network
low complexity
sap CWE-79
6.1
2017-10-16 CVE-2017-15294 Cross-site Scripting vulnerability in SAP Customer Relationship Management
The Java administration console in SAP CRM has XSS.
network
low complexity
sap CWE-79
6.1
2017-09-29 CVE-2017-10701 Cross-site Scripting vulnerability in SAP Enterprise Portal
Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516.
network
low complexity
sap CWE-79
6.1
2017-07-25 CVE-2017-11460 Cross-site Scripting vulnerability in SAP Netweaver Portal 7.4
Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535.
network
low complexity
sap CWE-79
6.1
2017-07-25 CVE-2017-11458 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.30
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.
network
low complexity
sap CWE-79
6.1
2017-07-25 CVE-2017-11457 XXE vulnerability in SAP Netweaver Application Server Java 7.50
XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.
network
low complexity
sap CWE-611
6.5
2017-06-15 CVE-2017-9613 Cross-site Scripting vulnerability in SAP Successfactors B1702P5E.1190658
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality.
network
low complexity
sap CWE-79
5.4
2017-04-10 CVE-2016-10310 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP SQL Anywhere 11.0/16.0/17.0
Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service (resource consumption and process crash) by sending a crafted packet several times, aka SAP Security Note 2308778.
network
low complexity
sap CWE-119
4.9
2017-04-10 CVE-2016-10304 Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
network
low complexity
sap CWE-502
6.5