Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-08-08 CVE-2023-37492 Missing Authorization vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
6.5
2023-08-08 CVE-2023-39436 Missing Authentication for Critical Function vulnerability in SAP Supplier Relationship Management
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.
network
low complexity
sap CWE-306
5.8
2023-08-08 CVE-2023-39437 Cross-site Scripting vulnerability in SAP Business ONE 10.0
SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting.
network
low complexity
sap CWE-79
5.4
2023-08-08 CVE-2023-39440 Cleartext Storage of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 420
In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials.
local
high complexity
sap CWE-312
4.4
2023-07-11 CVE-2023-31405 Improper Output Neutralization for Logs vulnerability in SAP Netweaver Application Server for Java 7.50
SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction.
network
low complexity
sap CWE-117
5.3
2023-07-11 CVE-2023-33988 Cross-site Scripting vulnerability in SAP Enable NOW
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Content-Security-Policy and X-XSS-Protection response headers are not implemented, allowing an unauthenticated attacker to attempt reflected cross-site scripting, which could result in disclosure or modification of information.
network
low complexity
sap CWE-79
6.1
2023-07-11 CVE-2023-33992 Missing Authorization vulnerability in SAP Business Warehouse and Bw/4Hana
The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response.
network
low complexity
sap CWE-862
6.5
2023-07-11 CVE-2023-35872 Missing Authentication for Critical Function vulnerability in SAP Netweaver Process Integration 7.50
The Message Display Tool (MDT) of SAP NetWeaver Process Integration - version SAP_XIAF 7.50, does not perform authentication checks for certain functionalities that require user identity.
network
low complexity
sap CWE-306
6.5
2023-07-11 CVE-2023-35873 Missing Authentication for Critical Function vulnerability in SAP Netweaver Process Integration 7.50
The Runtime Workbench (RWB) of SAP NetWeaver Process Integration - version SAP_XITOOL 7.50, does not perform authentication checks for certain functionalities that require user identity.
network
low complexity
sap CWE-306
6.5
2023-07-11 CVE-2023-36918 Cross-site Scripting vulnerability in SAP Enable NOW
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-Content-Type-Options response header is not implemented, allowing an unauthenticated attacker to trigger MIME type sniffing, which leads to Cross-Site Scripting, which could result in disclosure or modification of information.
network
low complexity
sap CWE-79
6.1