Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-07-25 CVE-2017-11458 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.30
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.
network
low complexity
sap CWE-79
6.1
2017-07-25 CVE-2017-11457 XXE vulnerability in SAP Netweaver Application Server Java 7.50
XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.
network
low complexity
sap CWE-611
6.5
2017-06-15 CVE-2017-9613 Cross-site Scripting vulnerability in SAP Successfactors B1702P5E.1190658
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality.
network
low complexity
sap CWE-79
5.4
2017-04-10 CVE-2016-10310 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP SQL Anywhere 11.0/16.0/17.0
Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service (resource consumption and process crash) by sending a crafted packet several times, aka SAP Security Note 2308778.
network
low complexity
sap CWE-119
4.9
2017-04-10 CVE-2016-10304 Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
network
low complexity
sap CWE-502
6.5
2017-03-16 CVE-2017-6061 Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation 10.0.0.1933
Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request.
network
low complexity
sap CWE-79
4.7
2016-12-31 CVE-2016-6859 Information Exposure vulnerability in SAP Hybris
Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
network
low complexity
sap CWE-200
4.3
2016-12-31 CVE-2016-6858 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.
network
low complexity
sap CWE-79
5.4
2016-12-31 CVE-2016-6857 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.
network
low complexity
sap CWE-79
5.4
2016-12-31 CVE-2016-6856 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.
network
low complexity
sap CWE-79
6.1