CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SAP : Security Vulnerabilities (CVSS score between 2 and 8.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-33661 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
2 CVE-2021-33660 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated FLI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
3 CVE-2021-33659 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
4 CVE-2021-27643 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
5 CVE-2021-27642 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
6 CVE-2021-27641 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated TIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
7 CVE-2021-27640 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
8 CVE-2021-27639 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
9 CVE-2021-27638 20 2021-06-09 2021-06-11
4.3
None Remote Medium Not required None None Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
10 CVE-2021-27619 20 2021-05-11 2021-05-19
4.0
None Remote Low ??? Partial None None
SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are not supposed to be displayed to them. Although the search results are masked, the user can iteratively enter one character at a time to search and determine the masked attribute value thereby leading to information disclosure.
11 CVE-2021-27618 434 DoS 2021-05-11 2021-05-19
4.0
None Remote Low ??? None None Partial
The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application.
12 CVE-2021-27617 400 2021-05-11 2021-05-19
4.0
None Remote Low ??? None None Partial
The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document uploaded from local source. An attacker can craft a malicious XML which when uploaded and parsed by the application, could lead to Denial-of-service conditions due to consumption of a large amount of system memory, thus highly impacting system availability.
13 CVE-2021-27616 863 2021-05-11 2021-05-21
7.2
None Local Low Not required Complete Complete Complete
Under certain conditions, SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure temporary backup path and to access information which would otherwise be restricted, resulting in Information Disclosure vulnerability highly impacting the confidentiality, integrity and availability of the application.
14 CVE-2021-27614 74 Exec Code 2021-05-11 2021-05-21
3.6
None Local Low Not required None Partial Partial
SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application thereby highly impacting the integrity and availability of the application.
15 CVE-2021-27613 863 2021-05-11 2021-05-19
4.6
None Local Low Not required Partial Partial Partial
Under certain conditions, SAP Business One Chef cookbook, version - 9.2, 9.3, 10.0, used to install SAP Business One, allows an attacker to exploit an insecure temporary folder for incoming & outgoing payroll data and to access information which would otherwise be restricted, which could lead to Information Disclosure and highly impact system confidentiality, integrity and availability.
16 CVE-2021-27612 601 2021-05-11 2021-06-10
5.8
None Remote Medium Not required Partial Partial None
In specific situations SAP GUI for Windows, versions - 7.60 PL10, 7.70 PL1, forwards a user to specific malicious website which could contain malware or might lead to phishing attacks to steal credentials of the victim.
17 CVE-2021-27611 74 DoS Exec Code 2021-05-11 2021-05-19
4.6
None Local Low Not required Partial Partial Partial
SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service.
18 CVE-2021-27609 862 2021-04-13 2021-04-20
4.0
None Remote Low ??? None Partial None
SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization.
19 CVE-2021-27608 428 2021-04-14 2021-04-20
4.4
None Local Medium Not required Partial Partial Partial
An unquoted service path in SAPSetup, version - 9.0, could lead to privilege escalation during the installation process that is performed when an executable file is registered. This could further lead to complete compromise of confidentiality, Integrity and Availability.
20 CVE-2021-27605 862 2021-04-13 2021-04-19
4.0
None Remote Low ??? Partial None None
SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.
21 CVE-2021-27604 611 2021-04-14 2021-04-20
4.0
None Remote Low ??? Partial None None
In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note.
22 CVE-2021-27603 DoS 2021-04-13 2021-04-19
4.0
None Remote Low ??? None None Partial
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.
23 CVE-2021-27602 94 Exec Code 2021-04-13 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
24 CVE-2021-27601 79 XSS 2021-04-13 2021-04-20
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.
25 CVE-2021-27600 79 Exec Code XSS 2021-04-13 2021-04-16
3.5
None Remote Medium ??? None Partial None
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server cannot be impacted.
26 CVE-2021-27599 200 +Info 2021-04-14 2021-04-20
4.0
None Remote Low ??? Partial None None
SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted.
27 CVE-2021-27598 862 2021-04-13 2021-04-20
5.0
None Remote Low Not required Partial None None
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
28 CVE-2021-27596 20 2021-03-22 2021-03-25
4.3
None Remote Medium Not required None None Partial
When a user opens manipulated Autodesk 3D Studio for MS-DOS (.3DS) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
29 CVE-2021-27595 20 2021-03-22 2021-03-25
4.3
None Remote Medium Not required None None Partial
When a user opens manipulated Portable Document Format (.PDF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
30 CVE-2021-27594 20 2021-03-22 2021-03-25
4.3
None Remote Medium Not required None None Partial
When a user opens manipulated Windows Bitmap (.BMP) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
31 CVE-2021-27593 2021-03-22 2021-03-26
4.3
None Remote Medium Not required None None Partial
When a user opens manipulated Graphics Interchange Format (.GIF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
32 CVE-2021-27592 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Universal 3D (.U3D) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
33 CVE-2021-27591 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Portable Document Format (.PDF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
34 CVE-2021-27590 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Tag Image File Format (.TIFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
35 CVE-2021-27589 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Scalable Vector Graphics (.SVG) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
36 CVE-2021-27588 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated HPGL format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
37 CVE-2021-27587 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Jupiter Tessellation (.JT) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
38 CVE-2021-27586 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Interchange File Format (.IFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
39 CVE-2021-27585 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
40 CVE-2021-27584 2021-03-09 2021-03-10
4.3
None Remote Medium Not required None None Partial
When a user opens manipulated PhotoShop Document (.PSD) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
41 CVE-2021-21493 2021-03-09 2021-03-19
4.3
None Remote Medium Not required None None Partial
When a user opens manipulated Graphics Interchange Format (.GIF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
42 CVE-2021-21492 290 2021-04-13 2021-04-20
4.3
None Remote Medium Not required None Partial None
SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.
43 CVE-2021-21491 601 2021-03-10 2021-03-17
5.8
None Remote Medium Not required Partial Partial None
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
44 CVE-2021-21488 502 2021-03-09 2021-03-17
4.0
None Remote Low ??? None None Partial
Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability.
45 CVE-2021-21487 862 2021-03-09 2021-03-16
6.5
None Remote Low ??? Partial Partial Partial
SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
46 CVE-2021-21486 862 2021-03-09 2021-03-16
6.5
None Remote Low ??? Partial Partial Partial
SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
47 CVE-2021-21485 200 +Priv +Info 2021-04-13 2021-04-21
4.3
None Remote Medium Not required Partial None None
An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.
48 CVE-2021-21484 863 Bypass 2021-03-09 2021-03-16
6.8
None Remote Medium Not required Partial Partial Partial
LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
49 CVE-2021-21483 200 +Info 2021-04-13 2021-04-20
4.0
None Remote Low ??? Partial None None
Under certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information which has a direct serious impact beyond the exploitable component thereby affecting the confidentiality in the application.
50 CVE-2021-21482 200 +Info 2021-04-13 2021-04-21
4.8
None Local Network Low Not required Partial Partial None
SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. If successful, the attacker could obtain access to highly sensitive data and MDM administrative privileges leading to information disclosure vulnerability thereby affecting the confidentiality and integrity of the application. This happens when security guidelines and recommendations concerning administrative accounts of an SAP NetWeaver Master Data Management installation have not been thoroughly reviewed.
Total number of vulnerabilities : 870   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.