Vulnerabilities (CVE)

Filtered by vendor Sap Subscribe
Total 1485 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-45282 1 Sap 1 S\/4 Hana 2024-11-14 N/A 5.3 MEDIUM
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
CVE-2024-45277 1 Sap 1 Hana-client 2024-11-14 N/A 4.3 MEDIUM
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.
CVE-2024-37179 1 Sap 1 Businessobjects Business Intelligence 2024-11-14 N/A 6.5 MEDIUM
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application.
CVE-2024-45278 1 Sap 1 Commerce Backoffice 2024-11-14 N/A 5.4 MEDIUM
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
CVE-2024-47594 1 Sap 1 Netweaver Enterprise Portal 2024-11-14 N/A 5.4 MEDIUM
SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised.
CVE-2024-47595 1 Sap 1 Host Agent 2024-11-14 N/A 7.1 HIGH
An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application.
CVE-2024-22128 1 Sap 1 Netweaver Business Client For Html 2024-10-16 N/A 6.1 MEDIUM
SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.
CVE-2024-22130 1 Sap 1 Crm - Webclient Ui 2024-10-16 N/A 5.4 MEDIUM
Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation.
CVE-2024-22131 1 Sap 1 Abap Platform 2024-10-16 N/A 7.2 HIGH
In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform.  Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable.
CVE-2024-22132 1 Sap 1 Ides Ecc 2024-10-16 N/A 6.3 MEDIUM
SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system.
CVE-2024-24739 1 Sap 1 Bank Account Management 2024-10-16 N/A 6.3 MEDIUM
SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.
CVE-2024-24740 1 Sap 1 Netweaver Application Server Abap 2024-10-16 N/A 5.3 MEDIUM
SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.
CVE-2024-24742 1 Sap 1 Crm - Webclient Ui 2024-10-16 N/A 4.1 MEDIUM
SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability.
CVE-2024-24743 1 Sap 1 Netweaver Application Server Java 2024-10-16 N/A 7.5 HIGH
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.
CVE-2024-25642 1 Sap 1 Cloud Connector 2024-10-16 N/A 7.4 HIGH
Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system.
CVE-2024-22129 1 Sap 1 Companion 2024-10-16 N/A 7.6 HIGH
SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application.
CVE-2024-24741 1 Sap 1 Master Data Governance For Material Data 2024-10-16 N/A 4.3 MEDIUM
SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.
CVE-2024-25643 1 Sap 1 Fiori 2024-10-16 N/A 4.3 MEDIUM
The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability.
CVE-2024-22126 1 Sap 1 Netweaver Application Server Java 2024-10-10 N/A 8.8 HIGH
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
CVE-2019-0344 1 Sap 1 Commerce Cloud 2024-10-07 7.5 HIGH 9.8 CRITICAL
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.