CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SAP : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-5068 2015-06-24 2015-06-25
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security Note 2159601.
2 CVE-2015-5067 255 2015-06-24 2015-06-24
5.0
None Remote Low Not required Partial None None
The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Note 2059659 and 2057982.
3 CVE-2015-4161 264 +Priv +Info 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690.
4 CVE-2015-4160 89 Exec Code Sql 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP ASE Database Platform allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes: 2152278.
5 CVE-2015-4159 89 Exec Code Sql 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes 2153892.
6 CVE-2015-4158 DoS 2015-06-02 2015-06-03
5.0
None Remote Low Not required None None Partial
SAP ABAP & Java Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2121661.
7 CVE-2015-4157 DoS 2015-06-02 2015-06-03
5.0
None Remote Low Not required None None Partial
SAP Content Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2127995.
8 CVE-2015-4092 119 DoS Exec Code Overflow 2015-05-26 2015-06-25
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Security Note 2153690.
9 CVE-2015-4091 2015-05-26 2015-06-25
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java allows remote attackers to send TCP requests to intranet servers or possibly have other unspecified impact via an XML request, related to "CIM UPLOAD," aka SAP Security Note 2090851.
10 CVE-2015-3995 200 +Info 2015-05-29 2015-06-02
4.0
None Remote Low Single system Partial None None
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565.
11 CVE-2015-3994 20 2015-05-29 2015-06-01
4.0
None Remote Low Single system None Partial None
The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request, aka SAP Security Note 2109818.
12 CVE-2015-3981 200 +Info 2015-05-12 2015-05-14
5.0
None Remote Low Not required Partial None None
SAP NetWeaver RFC SDK allows attackers to obtain sensitive information via unspecified vectors, aka SAP Security Note 2084037.
13 CVE-2015-3980 89 Exec Code Sql 2015-05-12 2015-05-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534.
14 CVE-2015-3979 Exec Code 2015-05-12 2015-05-13
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534.
15 CVE-2015-3978 200 +Info 2015-05-12 2015-05-14
2.1
None Local Low Not required Partial None None
SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830.
16 CVE-2015-3621 20 +Priv 2015-07-16 2015-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Untrusted search path vulnerability in SAP Enterprise Central Component (ECC) allows local users to gain privileges via a Trojan horse program.
17 CVE-2015-3449 254 +Priv 2015-07-16 2015-07-21
7.2
None Local Low Not required Complete Complete Complete
The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse XeService.exe file.
18 CVE-2015-2820 119 DoS Overflow 2015-04-01 2015-04-01
5.0
None Remote Low Not required None None Partial
Buffer overflow in XcListener in SAP Afaria 7.0.6001.5 allows remote attackers to cause a denial of service (process termination) via a crafted request, aka SAP Security Note 2132584.
19 CVE-2015-2819 20 DoS 2015-04-01 2015-05-15
5.0
None Remote Low Not required None None Partial
SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a denial of service (crash) via a crafted request, aka SAP Security Note 2108161.
20 CVE-2015-2818 2015-04-01 2015-04-01
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125513.
21 CVE-2015-2817 200 +Info 2015-04-01 2015-04-02
5.0
None Remote Low Not required Partial None None
The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters, aka SAP Security Note 2091768.
22 CVE-2015-2816 284 2015-04-01 2015-04-02
7.5
None Remote Low Not required Partial Partial Partial
The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict access, which allows remote attackers to have unspecified impact via a crafted request, aka SAP Security Note 2134905.
23 CVE-2015-2815 119 DoS Exec Code Overflow 2015-04-01 2015-04-02
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatcher in SAP KERNEL 7.00 (7000.52.12.34966) and 7.40 (7400.12.21.30308) allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2063369.
24 CVE-2015-2814 264 2015-04-01 2015-04-02
6.4
None Remote Low Not required None Partial Partial
SAP EMR Unwired (com.sap.mobile.healthcare.emr.v2) and Clinical Task Tracker (com.sap.mobile.healthcare.ctt) does not properly restrict access, which allows remote attackers to change the backendurl, clientid, ssourl, and infopageurl settings via unspecified vectors, aka SAP Security Note 2117079.
25 CVE-2015-2813 2015-04-01 2015-04-02
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in SAP Mobile Platform allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125358.
26 CVE-2015-2812 2015-04-01 2015-04-02
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in XMLValidationComponent in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2093966.
27 CVE-2015-2811 2015-04-01 2015-04-02
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2111939.
28 CVE-2015-2282 119 DoS Exec Code Overflow 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
29 CVE-2015-2278 119 DoS Overflow 2015-06-02 2015-06-03
5.0
None Remote Low Not required None None Partial
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
30 CVE-2015-2076 200 +Info 2015-02-27 2015-03-16
5.0
None Remote Low Not required Partial None None
The Auditing service in SAP BusinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.
31 CVE-2015-2075 264 2015-02-27 2015-03-16
5.0
None Remote Low Not required None Partial None
SAP BusinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.
32 CVE-2015-2072 79 XSS 2015-02-27 2015-03-02
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or (2) xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs, aka SAP Note 2069676.
33 CVE-2015-1312 264 +Priv +Info 2015-01-22 2015-01-25
7.5
None Remote Low Not required Partial Partial Partial
The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
34 CVE-2015-1311 94 2015-01-22 2015-01-25
10.0
None Remote Low Not required Complete Complete Complete
The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
35 CVE-2015-1309 2015-01-22 2015-01-25
5.0
None Remote Low Not required Partial None None
XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638.
36 CVE-2014-9595 119 DoS Exec Code Overflow 2015-01-15 2015-01-16
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the Spool System, aka SAP Note 2061271.
37 CVE-2014-9594 119 DoS Exec Code Overflow 2015-01-15 2015-01-16
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the ABAP VM, aka SAP Note 2059734.
38 CVE-2014-9569 79 XSS 2015-01-07 2015-01-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Business Client (NWBC) for HTML 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) roundtrips parameter, aka SAP Security Note 2051285.
39 CVE-2014-9387 264 +Priv 2014-12-17 2015-03-16
10.0
User Remote Low Not required Complete Complete Complete
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.
40 CVE-2014-9264 119 Exec Code Overflow 2014-12-11 2014-12-12
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary code via a crafted column alias.
41 CVE-2014-8669 94 Exec Code 2014-11-06 2014-11-06
10.0
None Remote Low Not required Complete Complete Complete
The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors.
42 CVE-2014-8668 89 Exec Code Sql 2014-11-06 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP Contract Accounting allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
43 CVE-2014-8667 79 XSS 2014-11-06 2014-11-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
44 CVE-2014-8666 200 +Info 2014-11-06 2014-11-06
5.0
None Remote Low Not required Partial None None
The User & Server configuration, InfoView refresh, user rights (BI-BIP-ADM) component in SAP Business Intellignece allows remote attackers to obtain audit event details via unspecified vectors.
45 CVE-2014-8665 200 +Info 2014-11-06 2014-11-06
5.0
None Remote Low Not required Partial None None
The SAP Business Intelligence Development Workbench allows remote attackers to obtain sensitive information by reading unspecified files.
46 CVE-2014-8664 89 Exec Code Sql 2014-11-06 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Product Safety (EHS-SAF) component in SAP Environment, Health, and Safety Management allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
47 CVE-2014-8663 89 Exec Code Sql 2014-11-06 2014-11-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Data Basis (BW-WHM-DBA) in SAP NetWeaver Business Warehouse allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
48 CVE-2014-8662 DoS 2014-11-06 2014-11-06
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in SAP Payroll Process allows remote attackers to cause a denial of service via vectors related to session handling.
49 CVE-2014-8661 94 Exec Code 2014-11-06 2014-11-06
10.0
None Remote Low Not required Complete Complete Complete
The SAP CRM Internet Sales module allows remote attackers to execute arbitrary commands via unspecified vectors.
50 CVE-2014-8660 94 Exec Code 2014-11-06 2014-11-06
7.2
None Local Low Not required Complete Complete Complete
SAP Document Management Services allows local users to execute arbitrary commands via unspecified vectors.
Total number of vulnerabilities : 255   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.