Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-09-08 CVE-2023-40306 Open Redirect vulnerability in SAP S/4Hana
SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation.
network
low complexity
sap CWE-601
6.1
2023-08-08 CVE-2023-36926 Missing Authentication for Critical Function vulnerability in SAP Host Agent 7.22
Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read functions.
network
low complexity
sap CWE-306
5.3
2023-08-08 CVE-2023-37484 Use of a Broken or Risky Cryptographic Algorithm vulnerability in SAP Powerdesigner 16.7
SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory.
network
low complexity
sap CWE-327
5.3
2023-08-08 CVE-2023-37487 Exposure of System Data to an Unauthorized Control Sphere vulnerability in SAP Business ONE 10.0
SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application
network
high complexity
sap CWE-497
5.3
2023-08-08 CVE-2023-37488 Cross-site Scripting vulnerability in SAP Netweaver Process Integration 7.50
In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack.
network
low complexity
sap CWE-79
6.1
2023-08-08 CVE-2023-37492 Missing Authorization vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
6.5
2023-08-08 CVE-2023-39436 Missing Authentication for Critical Function vulnerability in SAP Supplier Relationship Management
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.
network
low complexity
sap CWE-306
5.8
2023-08-08 CVE-2023-39437 Cross-site Scripting vulnerability in SAP Business ONE 10.0
SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting.
network
low complexity
sap CWE-79
5.4
2023-08-08 CVE-2023-39440 Cleartext Storage of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 420
In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials.
local
high complexity
sap CWE-312
4.4
2023-07-11 CVE-2023-31405 Improper Output Neutralization for Logs vulnerability in SAP Netweaver Application Server for Java 7.50
SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction.
network
low complexity
sap CWE-117
5.3