CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SAP : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4018 284 +Priv +Info 2016-04-14 2016-04-20
7.5
None Remote Low Not required Partial Partial Partial
The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and conduct unspecified other attacks via unspecified vectors, aka SAP Security Note 2262742.
2 CVE-2016-4017 DoS 2016-04-14 2016-04-20
5.0
None Remote Low Not required None None Partial
The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710.
3 CVE-2016-4016 79 XSS 2016-04-14 2016-04-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) allows remote attackers to inject arbitrary web script or HTML via vectors related to UR Control, aka SAP Security Note 2201295.
4 CVE-2016-4015 DoS 2016-04-14 2016-04-19
5.0
None Remote Low Not required None None Partial
The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784.
5 CVE-2016-4014 DoS 2016-04-14 2016-04-19
9.0
User Remote Low Not required Partial Partial Complete
XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service via a crafted XML request, aka SAP Security Note 2254389.
6 CVE-2016-3980 20 DoS 2016-04-08 2016-07-26
5.0
None Remote Low Not required None None Partial
The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547.
7 CVE-2016-3979 20 DoS Mem. Corr. 2016-04-08 2016-07-26
5.0
None Remote Low Not required None None Partial
Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP request, related to the IctParseCookies function, aka SAP Security Note 2256185.
8 CVE-2016-3976 22 Dir. Trav. 2016-04-07 2016-07-25
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
9 CVE-2016-3975 79 XSS 2016-04-07 2016-07-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375.
10 CVE-2016-3974 DoS 2016-04-07 2016-07-25
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994.
11 CVE-2016-3973 200 +Info 2016-04-07 2016-07-25
5.0
None Remote Low Not required Partial None None
The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka SAP Security Note 2255990.
12 CVE-2016-2536 399 Exec Code 2016-02-22 2016-05-19
6.8
None Remote Medium Not required Partial Partial Partial
Multiple use-after-free vulnerabilities in SAP 3D Visual Enterprise Viewer allow remote attackers to execute arbitrary code via a crafted SketchUp document. NOTE: the primary affected product may be SketchUp.
13 CVE-2016-2389 22 Dir. Trav. 2016-02-16 2016-05-25
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter to /Catalog, aka SAP Security Note 2230978.
14 CVE-2016-2388 284 +Info 2016-02-16 2016-02-29
5.0
None Remote Low Not required Partial None None
The Universal Worklist Configuration in SAP NetWeaver 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
15 CVE-2016-2387 79 XSS 2016-02-16 2016-05-25
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571.
16 CVE-2016-2386 89 Exec Code Sql 2016-02-16 2016-02-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
17 CVE-2016-1929 20 DoS 2016-01-20 2016-01-22
8.5
None Remote Low Not required None Partial Complete
The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of service (disk consumption and process crash) via a crafted HTTP request, related to an unspecified debug function, aka SAP Security Note 2241978.
18 CVE-2016-1928 119 DoS Exec Code Overflow 2016-01-20 2016-01-22
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security Note 2241978.
19 CVE-2016-1911 79 XSS 2016-01-15 2016-06-01
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Note 2206793 and 2234918.
20 CVE-2016-1910 200 +Info 2016-01-15 2016-01-21
5.0
None Remote Low Not required Partial None None
The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290.
21 CVE-2015-8840 264 +Priv +Info 2016-04-07 2016-04-11
6.5
None Remote Low Single system Partial Partial Partial
The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215.
22 CVE-2015-8753 264 Bypass 2016-01-08 2016-01-12
9.4
None Remote Low Not required None Complete Complete
SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization checks and wipe or lock mobile devices via a crafted request, related to "Insecure signature," aka SAP Security Note 2134905.
23 CVE-2015-8600 264 +Priv Bypass +Info 2015-12-17 2015-12-18
7.5
None Remote Low Not required Partial Partial Partial
The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown vectors, aka SAP Security Note 2227855.
24 CVE-2015-8330 119 DoS Overflow Mem. Corr. 2015-11-24 2015-11-25
7.8
None Remote Low Not required None None Complete
The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619.
25 CVE-2015-8329 310 2015-11-24 2016-05-18
5.0
None Remote Low Not required Partial None None
SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) uses weak encryption (Base64 and DES), which allows attackers to conduct downgrade attacks and decrypt passwords via unspecified vectors, aka SAP Security Note 2240274.
26 CVE-2015-8030 119 Exec Code Overflow 2015-10-30 2015-11-02
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted (1) U3D, (2) LWO, (3) JPEG2000, or (4) FBX file, aka "Out-Of-Bounds Indexing" vulnerabilities.
27 CVE-2015-8029 119 Exec Code Overflow Mem. Corr. 2015-10-30 2015-11-02
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted Filmbox document, which triggers memory corruption.
28 CVE-2015-8028 119 Exec Code Overflow 2015-10-30 2015-11-02
6.8
None Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) allow remote attackers to execute arbitrary code via a crafted (1) 3DM or (2) Flic Animation file.
29 CVE-2015-7994 20 Exec Code 2015-11-10 2015-11-12
7.5
None Remote Low Not required Partial Partial Partial
The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "SQL Login," aka SAP Security Note 2197428.
30 CVE-2015-7993 20 Exec Code 2015-11-10 2015-11-12
7.5
None Remote Low Not required Partial Partial Partial
The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP Login," aka SAP Security Note 2197397.
31 CVE-2015-7992 119 DoS Overflow Mem. Corr. 2015-11-10 2015-11-12
4.0
None Remote Low Single system None None Partial
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to cause a denial of service (memory corruption and indexserver crash) via unspecified vectors to the EXECUTE_SEARCH_RULE_SET stored procedure, aka SAP Security Note 2175928.
32 CVE-2015-7991 200 +Info 2015-11-10 2015-11-12
5.0
None Remote Low Not required Partial None None
The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854.
33 CVE-2015-7986 119 DoS Exec Code Overflow Mem. Corr. 2015-10-27 2016-03-30
7.5
None Remote Low Not required Partial Partial Partial
The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note 2197428.
34 CVE-2015-7828 20 Exec Code 2015-11-10 2015-11-12
10.0
None Remote Low Not required Complete Complete Complete
SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583.
35 CVE-2015-7239 89 Exec Code Sql 2015-09-18 2015-09-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
36 CVE-2015-6664 2015-08-24 2015-08-25
6.8
None Remote Medium Not required Partial Partial Partial
XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2152227.
37 CVE-2015-6663 79 XSS 2015-08-24 2015-08-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Client form in the Device Inspector page in SAP Afaria 7 allows remote attackers to inject arbitrary web script or HTML via crafted client name data, aka SAP Security Note 2152669.
38 CVE-2015-6662 2015-08-24 2015-08-25
6.8
None Remote Medium Not required Partial Partial Partial
XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2168485.
39 CVE-2015-5068 2015-06-24 2015-09-17
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security Note 2159601.
40 CVE-2015-5067 255 2015-06-24 2015-09-17
7.5
None Remote Low Not required Partial Partial Partial
The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Note 2059659 and 2057982.
41 CVE-2015-4161 264 +Priv +Info 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690.
42 CVE-2015-4160 89 Exec Code Sql 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP ASE Database Platform allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes: 2152278.
43 CVE-2015-4159 89 Exec Code Sql 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes 2153892.
44 CVE-2015-4158 DoS 2015-06-02 2015-06-03
5.0
None Remote Low Not required None None Partial
SAP ABAP & Java Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2121661.
45 CVE-2015-4157 DoS 2015-06-02 2015-06-03
5.0
None Remote Low Not required None None Partial
SAP Content Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2127995.
46 CVE-2015-4092 119 DoS Exec Code Overflow 2015-05-26 2015-09-10
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Security Note 2153690.
47 CVE-2015-4091 2015-05-26 2015-09-10
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851.
48 CVE-2015-3995 200 +Info 2015-05-29 2015-06-02
4.0
None Remote Low Single system Partial None None
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565.
49 CVE-2015-3994 20 2015-05-29 2015-06-01
4.0
None Remote Low Single system None Partial None
The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request, aka SAP Security Note 2109818.
50 CVE-2015-3981 200 +Info 2015-05-12 2015-05-14
5.0
None Remote Low Not required Partial None None
SAP NetWeaver RFC SDK allows attackers to obtain sensitive information via unspecified vectors, aka SAP Security Note 2084037.
Total number of vulnerabilities : 294   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.