CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SAP : Security Vulnerabilities (Execute Code)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-2536 399 Exec Code 2016-02-22 2016-04-14
6.8
None Remote Medium Not required Partial Partial Partial
Multiple use-after-free vulnerabilities in SAP 3D Visual Enterprise Viewer allow remote attackers to execute arbitrary code via a crafted SketchUp document. NOTE: the primary affected product may be SketchUp.
2 CVE-2016-2386 89 Exec Code Sql 2016-02-16 2016-02-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
3 CVE-2016-1928 119 DoS Exec Code Overflow 2016-01-20 2016-01-22
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security Note 2241978.
4 CVE-2015-8030 119 Exec Code Overflow 2015-10-30 2015-11-02
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted (1) U3D, (2) LWO, (3) JPEG2000, or (4) FBX file, aka "Out-Of-Bounds Indexing" vulnerabilities.
5 CVE-2015-8029 119 Exec Code Overflow Mem. Corr. 2015-10-30 2015-11-02
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted Filmbox document, which triggers memory corruption.
6 CVE-2015-8028 119 Exec Code Overflow 2015-10-30 2015-11-02
6.8
None Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) allow remote attackers to execute arbitrary code via a crafted (1) 3DM or (2) Flic Animation file.
7 CVE-2015-7994 20 Exec Code 2015-11-10 2015-11-12
7.5
None Remote Low Not required Partial Partial Partial
The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "SQL Login," aka SAP Security Note 2197428.
8 CVE-2015-7993 20 Exec Code 2015-11-10 2015-11-12
7.5
None Remote Low Not required Partial Partial Partial
The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP Login," aka SAP Security Note 2197397.
9 CVE-2015-7986 119 DoS Exec Code Overflow Mem. Corr. 2015-10-27 2016-03-30
7.5
None Remote Low Not required Partial Partial Partial
The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note 2197428.
10 CVE-2015-7828 20 Exec Code 2015-11-10 2015-11-12
10.0
None Remote Low Not required Complete Complete Complete
SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583.
11 CVE-2015-7239 89 Exec Code Sql 2015-09-18 2015-09-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
12 CVE-2015-4160 89 Exec Code Sql 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP ASE Database Platform allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes: 2152278.
13 CVE-2015-4159 89 Exec Code Sql 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes 2153892.
14 CVE-2015-4092 119 DoS Exec Code Overflow 2015-05-26 2015-09-10
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Security Note 2153690.
15 CVE-2015-3980 89 Exec Code Sql 2015-05-12 2015-05-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534.
16 CVE-2015-3979 Exec Code 2015-05-12 2015-05-13
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534.
17 CVE-2015-2815 119 DoS Exec Code Overflow 2015-04-01 2015-04-02
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatcher in SAP KERNEL 7.00 (7000.52.12.34966) and 7.40 (7400.12.21.30308) allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2063369.
18 CVE-2015-2282 119 DoS Exec Code Overflow 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
19 CVE-2014-9595 119 DoS Exec Code Overflow 2015-01-15 2015-01-16
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the Spool System, aka SAP Note 2061271.
20 CVE-2014-9594 119 DoS Exec Code Overflow 2015-01-15 2015-01-16
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the ABAP VM, aka SAP Note 2059734.
21 CVE-2014-9264 119 Exec Code Overflow 2014-12-11 2014-12-12
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary code via a crafted column alias.
22 CVE-2014-8669 94 Exec Code 2014-11-06 2014-11-06
10.0
None Remote Low Not required Complete Complete Complete
The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors.
23 CVE-2014-8668 89 Exec Code Sql 2014-11-06 2015-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP Contract Accounting allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
24 CVE-2014-8664 89 Exec Code Sql 2014-11-06 2015-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Product Safety (EHS-SAF) component in SAP Environment, Health, and Safety Management allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
25 CVE-2014-8663 89 Exec Code Sql 2014-11-06 2014-11-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Data Basis (BW-WHM-DBA) in SAP NetWeaver Business Warehouse allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
26 CVE-2014-8661 94 Exec Code 2014-11-06 2014-11-06
10.0
None Remote Low Not required Complete Complete Complete
The SAP CRM Internet Sales module allows remote attackers to execute arbitrary commands via unspecified vectors.
27 CVE-2014-8660 94 Exec Code 2014-11-06 2014-11-06
7.2
None Local Low Not required Complete Complete Complete
SAP Document Management Services allows local users to execute arbitrary commands via unspecified vectors.
28 CVE-2014-8588 89 Exec Code Sql 2014-11-04 2015-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.379371 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
29 CVE-2014-8313 94 Exec Code 2014-10-16 2014-10-23
6.0
None Remote Medium Single system Partial Partial Partial
Eval injection in ide/core/base/server/net.xsjs in the Developer Workbench in SAP HANA allows remote attackers to execute arbitrary XSJX code via unspecified vectors.
30 CVE-2014-6252 119 DoS Exec Code Overflow 2014-09-05 2014-09-08
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors.
31 CVE-2014-5506 Exec Code 2014-09-04 2015-12-14
6.8
None Remote Medium Not required Partial Partial Partial
Double free vulnerability in SAP Crystal Reports allows remote attackers to execute arbitrary code via crafted connection string record in an RPT file.
32 CVE-2014-5505 119 Exec Code Overflow 2014-09-04 2015-12-14
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in SAP Crystal Reports allows remote attackers to execute arbitrary code via a crafted data source string in an RPT file.
33 CVE-2013-7362 94 Exec Code 2014-04-10 2014-04-11
7.5
None Remote Low Not required Partial Partial Partial
An unspecified RFC function in SAP CCMS Agent allows remote attackers to execute arbitrary commands via unknown vectors.
34 CVE-2013-7355 89 Exec Code Sql 2014-04-10 2014-04-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema.
35 CVE-2013-7096 89 Exec Code Sql 2013-12-13 2013-12-19
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
36 CVE-2013-7094 89 Exec Code Sql 2013-12-13 2013-12-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
37 CVE-2013-6869 89 Exec Code Sql 2013-11-23 2013-12-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the SRTT_GET_COUNT_BEFORE_KEY_RFC function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
38 CVE-2013-6820 Exec Code 2013-11-20 2013-11-20
9.3
None Remote Medium Not required Complete Complete Complete
Unrestricted file upload vulnerability in the SAP NetWeaver Development Infrastructure (NWDI) allows remote attackers to execute arbitrary code by uploading a file with an executable extension via unspecified vectors.
39 CVE-2013-6817 119 DoS Exec Code Overflow 2013-11-20 2013-11-20
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in SAP Network Interface Router (SAProuter) 7.30 allows remote attackers to cause a denial of service and execute arbitrary code via crafted NI Route messages.
40 CVE-2013-6284 Exec Code 2013-10-26 2013-10-28
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Statutory Reporting for Insurance (FS_SR) component in the Financial Services module for SAP ERP Central Component (ECC) allows attackers to execute arbitrary code via unspecified vectors, related to a "code injection vulnerability."
41 CVE-2013-5723 89 Exec Code Sql 2013-09-12 2013-10-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "ABAD0_DELETE_DERIVATION_TABLE."
42 CVE-2013-3244 94 Exec Code 2013-10-23 2013-10-25
6.0
None Remote Medium Single system Partial Partial Partial
Multiple unspecified vulnerabilities in the CJDB_FILL_MEMORY_FROM_PPB function in the Project System (PS-IS) module for SAP ERP Central Component (ECC) allow remote attackers to execute arbitrary code via a (1) RFC or (2) SOAP-RFC request.
43 CVE-2013-3063 Exec Code 2013-05-01 2013-11-18
6.0
None Remote Medium Single system Partial Partial Partial
SAP BASIS Communication Services 4.6B through 7.30 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
44 CVE-2012-4341 119 DoS Exec Code Overflow 2012-08-15 2012-08-16
10.0
None Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900.
45 CVE-2012-2611 20 Exec Code 2012-05-15 2012-08-18
9.3
None Remote Medium Not required Complete Complete Complete
The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet.
46 CVE-2010-4556 119 Exec Code Overflow 2010-12-17 2010-12-20
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the SapThemeRepository ActiveX control (sapwdpcd.dll) in SAP NetWeaver Business Client allows remote attackers to execute arbitrary code via the (1) Load and (2) LoadTheme methods.
47 CVE-2010-3032 189 DoS Exec Code Overflow 2010-08-17 2010-08-30
10.0
None Remote Low Not required Complete Complete Complete
Integer overflow in the OBGIOPServerWorker::extractHeader function in the ebus-3-3-2-6.dll module in SAP Crystal Reports 2008 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GIOP packet with a crafted size, which triggers a heap-based buffer overflow.
48 CVE-2010-2590 119 1 Exec Code Overflow 2010-12-21 2011-01-12
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in the CrystalReports12.CrystalPrintControl.1 ActiveX control in PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2 allows remote attackers to execute arbitrary code via a long ServerResourceVersion property value.
49 CVE-2010-1185 119 Exec Code Overflow 2010-03-29 2010-03-30
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information.
50 CVE-2010-0219 255 1 Exec Code 2010-10-18 2013-05-09
10.0
None Remote Low Not required Complete Complete Complete
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Total number of vulnerabilities : 76   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.