Filtered by vendor Sap
Subscribe
Total
1568 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27669 | 1 Sap | 1 Netweaver Application Server For Java | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges.
|
|||||
| CVE-2022-27668 | 1 Sap | 4 Netweaver As Abap, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability.
|
|||||
| CVE-2022-27667 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
Under certain conditions, SAP BusinessObjects Business Intelligence platform, Client Management Console (CMC) - version 430, allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
|
|||||
| CVE-2022-27658 | 1 Sap | 1 Innovation Management | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks.
|
|||||
| CVE-2022-27657 | 1 Sap | 1 Focused Run | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
|
A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0.
|
|||||
| CVE-2022-27656 | 1 Sap | 3 Netweaver As Abap Kernel, Netweaver As Abap Krnl64uc, Webdispatcher | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2022-27655 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Universal 3D (.u3d, 3difr.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2022-27654 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Photoshop Document (.psd, 2d.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2022-26109 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Portable Document Format (.pdf, PDFView.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2022-26108 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Picture Exchange (.pcx, 2d.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2022-26107 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Jupiter Tesselation (.jt, JTReader.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2022-26106 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Computer Graphics Metafile (.cgm, CgmCore.dll) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2022-26105 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, is susceptible to script execution attack by an unauthenticated attacker due to improper sanitization of the user inputs while interacting on the Network. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.
|
|||||
| CVE-2022-26104 | 1 Sap | 1 Financial Consolidation | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message.
|
|||||
| CVE-2022-26103 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks.
|
|||||
| CVE-2022-26102 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the applicatio ...
Show More |
|||||
| CVE-2022-26101 | 1 Sap | 1 Fiori Launchpad | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2022-26100 | 1 Sap | 1 Sapcar | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SAPCAR - version 7.22, does not contain sufficient input validation on the SAPCAR archive. As a result, the SAPCAR process may crash, and the attacker may obtain privileged access to the system.
|
|||||
| CVE-2022-24399 | 1 Sap | 1 Focused Run | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2022-24398 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
|
Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access information which would otherwise be restricted.
|
|||||
| CVE-2022-24397 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SAP NetWeaver Enterprise Portal - versions 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.This reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content of portal Website. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser.
|
|||||
| CVE-2022-24396 | 1 Sap | 1 Simple Diagnostics Agent | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations.
|
|||||
| CVE-2022-24395 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2022-22547 | 1 Sap | 1 Simple Diagnostics Agent | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Simple Diagnostics Agent - versions 1.0 (up to version 1.57.), allows an attacker to access information which would otherwise be restricted via a random port 9000-65535. This allows information gathering which could be used exploit future open-source security exploits.
|
|||||
| CVE-2022-22546 | 1 Sap | 1 Businessobjects Web Intelligence | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420.
|
|||||
| CVE-2022-22545 | 1 Sap | 1 Netweaver Abap | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
A high privileged user who has access to transaction SM59 can read connection details stored with the destination for http calls in SAP NetWeaver Application Server ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756.
|
|||||
| CVE-2022-22544 | 1 Sap | 1 Solution Manager | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
|
Solution Manager (Diagnostics Root Cause Analysis Tools) - version 720, allows an administrator to execute code on all connected Diagnostics Agents and browse files on their systems. An attacker could thereby control the managed systems. It is considered that this is a missing segregation of duty for the SAP Solution Manager administrator. Impacts of unauthorized execution of commands can lead to sensitive information disclosure, loss of system integrity and denial of service.
|
|||||
| CVE-2022-22543 | 1 Sap | 2 Netweaver Abap, Netweaver As Abap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) - versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49, does not sufficiently validate sap-passport information, which could lead to a Denial-of-Service attack. This allows an unauthorized remote user to provoke a breakdown of the SAP Web Dispatcher or Kernel work process. The crashed process can be restarted immediately, other pro ...
Show More |
|||||
| CVE-2022-22542 | 1 Sap | 1 S\/4hana | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor that is not explicitly authorized to have access to that information, which could compromise Confidentiality.
|
|||||
| CVE-2022-22541 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, may allow legitimate users to access information they shouldn't see through relational or OLAP connections. The main impact is the disclosure of company data to people that shouldn't or don't need to have access.
|
|||||
| CVE-2022-22540 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible.
|
|||||
| CVE-2022-22539 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated JPEG file format (.jpg, 2d.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. The file format details along with their CVE relevant information can be found below.
|
|||||
| CVE-2022-22538 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Adobe Illustrator file format (.ai, ai.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. The file format details along with their CVE relevant information can be found below.
|
|||||
| CVE-2022-22537 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens a manipulated Tagged Image File Format (.tiff, 2d.x3d)) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. The file format details along with their CVE relevant information can be found below.
|
|||||
| CVE-2022-22535 | 1 Sap | 1 Erp Human Capital Management | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts.
|
|||||
| CVE-2022-22534 | 1 Sap | 1 Netweaver | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application.
|
|||||
| CVE-2022-22533 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.
|
|||||
| CVE-2022-22532 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.
|
|||||
| CVE-2021-44235 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
|
Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.
|
|||||
| CVE-2021-44234 | 1 Sap | 1 Business One | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
|
|||||