SAP Financial Consolidation does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. These endpoints are exposed over the network. The vulnerability can exploit resources beyond the vulnerable component. On successful exploitation, an attacker can cause limited impact to confidentiality of the application.
Source: SAP SE
Max CVSS
5.0
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
SAP Financial Consolidation allows data to enter a Web application through an untrusted source. These endpoints are exposed over the network and it allows the user to modify the content from the web site. On successful exploitation, an attacker can cause significant impact to confidentiality and integrity of the application.
Source: SAP SE
Max CVSS
8.1
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application.
Source: SAP SE
Max CVSS
5.5
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.
Source: SAP SE
Max CVSS
6.5
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to access and edit non-sensitive report variants that are typically restricted, causing minimal impact on the confidentiality and integrity of the application.
Source: SAP SE
Max CVSS
5.4
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system.
Source: SAP SE
Max CVSS
6.5
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
Source: SAP SE
Max CVSS
6.1
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files.
Source: SAP SE
Max CVSS
3.7
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
An authenticated attacker can upload malicious file to SAP Document Builder service. When the victim accesses this file, the attacker is allowed to access, modify, or make the related information unavailable in the victim’s browser.
Source: SAP SE
Max CVSS
6.5
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
SAP Global Label Management is vulnerable to SQL injection. On exploitation the attacker can use specially crafted inputs to modify database commands resulting in the retrieval of additional information persisted by the system. This could lead to low impact on Confidentiality and Integrity of the application.
Source: SAP SE
Max CVSS
4.2
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
SAP Replication Server allows an attacker to use gateway for executing some commands to RSSD. This could result in crashing the Replication Server due to memory corruption with high impact on Availability of the system.
Source: SAP SE
Max CVSS
4.9
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
PDFViewer is a control delivered as part of SAPUI5 product which shows the PDF content in an embedded mode by default. If a PDF document contains embedded JavaScript (or any harmful client-side script), the PDFViewer will execute the JavaScript embedded in the PDF which can cause a potential security threat.
Source: SAP SE
Max CVSS
3.5
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system. 
Source: SAP SE
Max CVSS
9.6
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application.
Source: SAP SE
Max CVSS
4.3
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
Document Service handler (obsolete) in Data Provisioning Service does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability with low impact on Confidentiality and Integrity of the application.
Source: SAP SE
Max CVSS
6.1
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application.
Source: SAP SE
Max CVSS
6.5
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
SAP Bank Account Management does not perform necessary authorization check for an authorized user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality to the system.
Source: SAP SE
Max CVSS
3.5
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application
Source: SAP SE
Max CVSS
6.1
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
SAP My Travel Requests does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, the attacker can upload a malicious attachment to a business trip request which will lead to a low impact on the confidentiality, integrity and availability of the application. 
Source: SAP SE
Max CVSS
5.5
EPSS Score
0.04%
Published
2024-05-14
Updated
2024-05-14
SAP Enable Now Manager does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, the attacker with the role 'Learner' could gain access to other user's data in manager which will lead to a high impact to the confidentiality of the application.
Source: SAP SE
Max CVSS
6.5
EPSS Score
0.04%
Published
2024-04-26
Updated
2024-05-14
The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability.
Source: SAP SE
Max CVSS
6.5
EPSS Score
0.04%
Published
2024-04-09
Updated
2024-04-09
Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted.
Source: SAP SE
Max CVSS
4.3
EPSS Score
0.04%
Published
2024-04-09
Updated
2024-04-09
Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted.
Source: SAP SE
Max CVSS
4.3
EPSS Score
0.04%
Published
2024-04-09
Updated
2024-04-09
The Resource Settings page allows a high privilege attacker to load exploitable payload to be stored and reflected whenever a User visits the page. In a successful attack, some information could be obtained and/or modified. However, the attacker does not have control over what information is obtained, or the amount or kind of loss is limited.
Source: SAP SE
Max CVSS
4.8
EPSS Score
0.04%
Published
2024-04-09
Updated
2024-04-09
1468 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!