CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SAP : Security Vulnerabilities (CVSS score between 6 and 8.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-27616 863 2021-05-11 2021-05-21
7.2
None Local Low Not required Complete Complete Complete
Under certain conditions, SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure temporary backup path and to access information which would otherwise be restricted, resulting in Information Disclosure vulnerability highly impacting the confidentiality, integrity and availability of the application.
2 CVE-2021-27602 94 Exec Code 2021-04-13 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
3 CVE-2021-27592 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Universal 3D (.U3D) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
4 CVE-2021-27591 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Portable Document Format (.PDF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
5 CVE-2021-27590 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Tag Image File Format (.TIFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
6 CVE-2021-27589 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Scalable Vector Graphics (.SVG) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
7 CVE-2021-27588 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated HPGL format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
8 CVE-2021-27587 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Jupiter Tessellation (.JT) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
9 CVE-2021-27586 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Interchange File Format (.IFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
10 CVE-2021-27585 2021-03-09 2021-03-25
6.8
None Remote Medium Not required Partial Partial Partial
When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
11 CVE-2021-21487 862 2021-03-09 2021-03-16
6.5
None Remote Low ??? Partial Partial Partial
SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
12 CVE-2021-21486 862 2021-03-09 2021-03-16
6.5
None Remote Low ??? Partial Partial Partial
SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
13 CVE-2021-21484 863 Bypass 2021-03-09 2021-03-16
6.8
None Remote Medium Not required Partial Partial Partial
LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
14 CVE-2021-21481 863 2021-03-09 2021-03-16
8.3
None Local Network Low Not required Complete Complete Complete
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.
15 CVE-2021-21479 74 2021-02-09 2021-02-16
6.4
None Remote Low Not required None Partial Partial
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
16 CVE-2021-21472 Dir. Trav. 2021-02-09 2021-02-16
6.5
None Remote Low ??? Partial Partial Partial
SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.
17 CVE-2021-21466 94 DoS 2021-01-12 2021-05-17
6.5
None Remote Low ??? Partial Partial Partial
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
18 CVE-2021-21465 89 Exec Code Sql 2021-01-12 2021-02-11
6.5
None Remote Low ??? Partial Partial Partial
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.
19 CVE-2021-21463 125 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
20 CVE-2021-21462 787 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
21 CVE-2021-21461 787 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated BMP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
22 CVE-2021-21460 787 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
23 CVE-2021-21459 787 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
24 CVE-2021-21458 119 Overflow 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
25 CVE-2021-21457 119 Overflow 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
26 CVE-2021-21456 787 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
27 CVE-2021-21455 787 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
28 CVE-2021-21454 787 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
29 CVE-2021-21453 119 Overflow 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
30 CVE-2021-21452 119 Overflow 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
31 CVE-2021-21451 119 Overflow 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SGI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
32 CVE-2021-21450 119 Overflow 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
33 CVE-2021-21449 119 Overflow 2021-01-12 2021-02-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
34 CVE-2020-26837 22 Dir. Trav. 2020-12-09 2021-06-14
6.5
None Remote Low ??? Partial Partial Partial
SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable.
35 CVE-2020-26832 862 2020-12-09 2020-12-10
7.5
None Remote Low ??? Partial None Complete
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
36 CVE-2020-26824 862 2020-11-10 2020-11-12
6.4
None Remote Low Not required None Partial Partial
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Legacy Ports Service, this has an impact to the integrity and availability of the service.
37 CVE-2020-26823 862 2020-11-10 2020-11-12
6.4
None Remote Low Not required None Partial Partial
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Diagnostics Agent Connection Service, this has an impact to the integrity and availability of the service.
38 CVE-2020-26822 862 2020-11-10 2020-11-12
6.4
None Remote Low Not required None Partial Partial
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Outside Discovery Configuration Service, this has an impact to the integrity and availability of the service.
39 CVE-2020-26821 862 2020-11-10 2020-11-12
6.4
None Remote Low Not required None Partial Partial
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service.
40 CVE-2020-26819 287 2020-11-10 2020-11-18
6.5
None Remote Low ??? Partial Partial Partial
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control.
41 CVE-2020-26818 200 +Info 2020-11-10 2020-11-18
6.5
None Remote Low ??? Partial Partial Partial
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.
42 CVE-2020-26817 787 2020-11-10 2020-11-24
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows an user to open manipulated HPGL file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
43 CVE-2020-26808 94 Exec Code 2020-11-10 2020-11-23
6.5
None Remote Low ??? Partial Partial Partial
SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application.
44 CVE-2020-6374 125 2020-10-15 2020-10-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated Jupiter Tessallation(.jt) file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
45 CVE-2020-6373 787 2020-10-15 2020-10-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PDF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
46 CVE-2020-6372 787 2020-10-15 2020-10-19
6.8
None Remote Medium Not required Partial Partial Partial
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PDF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
47 CVE-2020-6362 863 2020-10-20 2020-10-22
6.8
None Remote Low ??? None None Complete
SAP Banking Services version 500, use an incorrect authorization object in some of its reports. Although the affected reports are protected with otherauthorization objects, exploitation of the vulnerability could lead to privilege escalation and violation in segregation of duties, which in turn could lead to Service interruptions and system unavailability for the victim and users of the component.
48 CVE-2020-6318 94 Exec Code 2020-09-09 2020-09-15
6.5
None Remote Low ??? Partial Partial Partial
A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate.
49 CVE-2020-6309 287 DoS 2020-08-12 2021-04-12
7.8
None Remote Low Not required None None Complete
SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.
50 CVE-2020-6302 2020-09-09 2020-09-10
7.5
None Remote Low Not required Partial Partial Partial
SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application.
Total number of vulnerabilities : 278   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.