Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-03-16 CVE-2017-6061 Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation 10.0.0.1933
Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request.
network
low complexity
sap CWE-79
4.7
2016-12-31 CVE-2016-6859 Information Exposure vulnerability in SAP Hybris
Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
network
low complexity
sap CWE-200
4.3
2016-12-31 CVE-2016-6858 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.
network
low complexity
sap CWE-79
5.4
2016-12-31 CVE-2016-6857 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.
network
low complexity
sap CWE-79
5.4
2016-12-31 CVE-2016-6856 Cross-site Scripting vulnerability in SAP Hybris
Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.
network
low complexity
sap CWE-79
6.1
2016-12-14 CVE-2016-3685 Use of Hard-coded Credentials vulnerability in SAP Download Manager 1.1.3.0/2.1.142
SAP Download Manager 2.1.142 and earlier generates an encryption key from a small key space on Windows and Mac systems, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of a hardcoded key in the program code and a computer BIOS serial number, aka SAP Security Note 2282338.
local
high complexity
sap CWE-798
4.7
2016-12-14 CVE-2016-3684 Unspecified vulnerability in SAP Download Manager 1.1.3.0/2.1.142
SAP Download Manager 2.1.142 and earlier uses a hardcoded encryption key to protect stored data, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of this key, aka SAP Security Note 2282338.
local
high complexity
sap
4.7
2016-11-23 CVE-2016-9563 XXE vulnerability in SAP Netweaver Application Server Java 7.50
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
network
low complexity
sap CWE-611
6.5
2016-10-13 CVE-2016-4407 Improper Access Control vulnerability in SAP Sapcryptolib 5.555.38
The DSA algorithm implementation in SAP SAPCRYPTOLIB 5.555.38 does not properly check signatures, which allows remote authenticated users to impersonate arbitrary users via unspecified vectors, aka SAP Security Note 2223008.
network
low complexity
sap CWE-284
6.5
2016-10-13 CVE-2016-3638 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP SLD Registration
SAP SLD Registration Program (aka SLDREG) allows local users to cause a denial of service (memory corruption and process termination) via a crafted HOST parameter, aka SAP Security Note 2125623.
local
low complexity
sap CWE-119
5.5