Filtered by vendor Sap
Subscribe
Total
1568 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27606 | 1 Sap | 1 Netweaver As Abap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncOAMParamStore() causing the system to crash and rendering it unavai ...
Show More |
|||||
| CVE-2021-27605 | 1 Sap | 1 Fiori Apps 2.0 For Travel Management In Sap Erp | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.
|
|||||
| CVE-2021-27604 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note.
|
|||||
| CVE-2021-27603 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.
|
|||||
| CVE-2021-27602 | 1 Sap | 1 Commerce | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
|
|||||
| CVE-2021-27601 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.
|
|||||
| CVE-2021-27600 | 1 Sap | 1 Manufacturing Execution | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server ...
Show More |
|||||
| CVE-2021-27599 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted.
|
|||||
| CVE-2021-27598 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
|
|||||
| CVE-2021-27597 | 1 Sap | 1 Netweaver Abap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method memmove() causing the system to crash and rendering it unavailable. In ...
Show More |
|||||
| CVE-2021-27596 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
When a user opens manipulated Autodesk 3D Studio for MS-DOS (.3DS) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27595 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
When a user opens manipulated Portable Document Format (.PDF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27594 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
When a user opens manipulated Windows Bitmap (.BMP) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27593 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
When a user opens manipulated Graphics Interchange Format (.GIF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27592 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated Universal 3D (.U3D) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27591 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated Portable Document Format (.PDF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27590 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated Tag Image File Format (.TIFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27589 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated Scalable Vector Graphics (.SVG) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27588 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated HPGL format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27587 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated Jupiter Tessellation (.JT) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27586 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated Interchange File Format (.IFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27585 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-27584 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
When a user opens manipulated PhotoShop Document (.PSD) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-21493 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
When a user opens manipulated Graphics Interchange Format (.GIF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-21492 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.
|
|||||
| CVE-2021-21491 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
|
|||||
| CVE-2021-21490 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.
|
|||||
| CVE-2021-21489 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content.
|
|||||
| CVE-2021-21488 | 1 Sap | 1 Netweaver Knowledge Management | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability.
|
|||||
| CVE-2021-21487 | 1 Sap | 1 Payment Engine | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
|
|||||
| CVE-2021-21486 | 1 Sap | 1 Enterprise Financial Services | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
|
|||||
| CVE-2021-21485 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.
|
|||||
| CVE-2021-21484 | 1 Sap | 1 Hana | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
|
|||||
| CVE-2021-21483 | 1 Sap | 1 Solution Manager | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Under certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information which has a direct serious impact beyond the exploitable component thereby affecting the confidentiality in the application.
|
|||||
| CVE-2021-21482 | 1 Sap | 1 Netweaver Master Data Management | 2024-11-21 | 4.8 MEDIUM | 8.3 HIGH |
|
SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. If successful, the attacker could obtain access to highly sensitive data and MDM administrative privileges leading to information disclosure vulnerability thereby affecting the confidentiality and integrity of the application. This happens when security guidelines and recommendations concerning administrative acc ...
Show More |
|||||
| CVE-2021-21481 | 1 Sap | 1 Netweaver | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.
|
|||||
| CVE-2021-21479 | 1 Sap | 1 Scimono | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
|
|||||
| CVE-2021-21478 | 1 Sap | 1 Web Dynpro Abap | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
SAP Web Dynpro ABAP allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
|
|||||
| CVE-2021-21477 | 1 Sap | 1 Commerce | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
|
SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.
|
|||||
| CVE-2021-21476 | 1 Sap | 1 Ui5 | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
SAP UI5 versions before 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1 allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
|
|||||