Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-07-11 CVE-2023-36919 Intentional Information Exposure vulnerability in SAP Enable NOW
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Referrer-Policy response header is not implemented, allowing an unauthenticated attacker to obtain referrer details, resulting in information disclosure.
network
low complexity
sap CWE-213
5.3
2023-07-11 CVE-2023-36924 Improper Output Neutralization for Logs vulnerability in SAP ERP Defense Forces and Public Security
While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file.
network
low complexity
sap CWE-117
4.9
2023-06-13 CVE-2023-2827 Missing Authentication for Critical Function vulnerability in SAP Digital Manufacturing and Plant Connectivity
SAP Plant Connectivity - version 15.5 (PCo) or the Production Connector for SAP Digital Manufacturing - version 1.0, do not validate the signature of the JSON Web Token (JWT) in the HTTP request sent from SAP Digital Manufacturing.
low complexity
sap CWE-306
5.7
2023-06-13 CVE-2023-32115 SQL Injection vulnerability in SAP Master Data Synchronization
An attacker can exploit MDS COMPARE TOOL and use specially crafted inputs to read and modify database commands, resulting in the retrieval of additional information persisted by the system.
local
low complexity
sap CWE-89
6.1
2023-06-13 CVE-2023-33984 Cross-site Scripting vulnerability in SAP Netweaver 7.50
SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message.
network
low complexity
sap CWE-79
5.4
2023-06-13 CVE-2023-33985 Cross-site Scripting vulnerability in SAP Netweaver 7.50
SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack.
network
low complexity
sap CWE-79
6.1
2023-06-13 CVE-2023-33986 Cross-site Scripting vulnerability in SAP Customer Relationship Management Abap 430
SAP CRM ABAP (Grantor Management) - versions 700, 701, 702, 712, 713, 714, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2023-05-09 CVE-2023-30741 Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 420/430
Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link.
network
low complexity
sap CWE-79
6.1
2023-05-09 CVE-2023-30742 Cross-site Scripting vulnerability in SAP products
SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user's session.
network
low complexity
sap CWE-79
6.1
2023-05-09 CVE-2023-30743 Cross-site Scripting vulnerability in SAP Sapui5
Due to improper neutralization of input in SAPUI5 - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, sap.m.FormattedText SAPUI5 control allows injection of untrusted CSS.
network
low complexity
sap CWE-79
6.1