SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.
Max CVSS
9.4
EPSS Score
0.10%
Published
2023-12-12
Updated
2024-01-16
SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database.
Max CVSS
9.9
EPSS Score
0.07%
Published
2023-01-10
Updated
2023-01-18
An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application.
Max CVSS
9.9
EPSS Score
0.20%
Published
2022-12-13
Updated
2022-12-15
An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to: * Read any information * Modify sensitive information * Denial of Service attacks (DoS) * SQL Injection
Max CVSS
9.4
EPSS Score
0.15%
Published
2022-12-13
Updated
2022-12-15
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.
Max CVSS
9.8
EPSS Score
0.22%
Published
2021-12-14
Updated
2021-12-16
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
Max CVSS
9.9
EPSS Score
0.10%
Published
2021-09-14
Updated
2022-07-12
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
Max CVSS
9.1
EPSS Score
0.74%
Published
2021-09-15
Updated
2022-04-01
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.
Max CVSS
9.9
EPSS Score
1.20%
Published
2021-01-12
Updated
2022-06-03
The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injection.
Max CVSS
8.8
EPSS Score
0.09%
Published
2020-05-12
Updated
2020-05-15
SAP Adaptive Server Enterprise, version 16.0, allows an authenticated user to execute crafted database queries to elevate privileges of users in the system, leading to SQL Injection.
Max CVSS
8.8
EPSS Score
0.09%
Published
2020-05-12
Updated
2020-05-14
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
Max CVSS
8.8
EPSS Score
0.15%
Published
2017-04-14
Updated
2021-04-20
SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query. The vendor response is SAP Security Note 2361633.
Max CVSS
10.0
EPSS Score
0.17%
Published
2017-04-13
Updated
2018-12-10

CVE-2016-2386

Known exploited
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
Max CVSS
9.8
EPSS Score
32.95%
Published
2016-02-16
Updated
2021-04-20
CISA KEV Added
2022-06-09
13 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!