|
|
SAP : Security Vulnerabilities (CVSS score between 3 and 3.99)
| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-2466 |
79 |
|
XSS |
2018-10-09 |
2018-11-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In Impact and Lineage Analysis in SAP Data Services, version 4.2, the management console does not sufficiently validate user-controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability. |
|
2 |
CVE-2018-2410 |
79 |
|
XSS |
2018-04-10 |
2018-05-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability. |
|
3 |
CVE-2018-2405 |
79 |
|
XSS |
2018-04-10 |
2018-05-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting. |
|
4 |
CVE-2018-2402 |
255 |
|
|
2018-03-14 |
2018-04-13 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
In systems using the optional capture & replay functionality of SAP HANA, 1.00 and 2.00, (see SAP Note 2362820 for more information about capture & replay), user credentials may be stored in clear text in the indexserver trace files of the control system. An attacker with the required authorizations on the control system may be able to access the user credentials and gain unauthorized access to data in the captured or target system. |
|
5 |
CVE-2018-2397 |
79 |
|
XSS |
2018-03-14 |
2018-04-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In SAP Business Objects Business Intelligence Platform, 4.00, 4.10, 4.20, 4.30, the Central Management Console (CMC) does not sufficiently encode user controlled inputs which results in Cross-Site Scripting. |
|
6 |
CVE-2017-11458 |
79 |
|
XSS |
2017-07-25 |
2018-12-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. |
|
7 |
CVE-2017-9613 |
79 |
|
XSS |
2017-06-15 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality. |
|
8 |
CVE-2016-6858 |
79 |
|
XSS |
2016-12-31 |
2017-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field. |
|
9 |
CVE-2016-6857 |
79 |
|
XSS |
2016-12-31 |
2017-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field. |
|
10 |
CVE-2014-8312 |
|
|
+Info |
2014-10-16 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Business Warehouse (BW) in SAP Netweaver AS ABAP 7.31 allows remote authenticated users to obtain sensitive information via a request to the RSDU_CCMS_GET_PROFILE_PARAM RFC function. |
|
11 |
CVE-2014-8311 |
|
|
+Info |
2014-10-16 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener. |
|
12 |
CVE-2014-5174 |
264 |
|
+Info |
2014-07-31 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
The SAP Netweaver Business Warehouse component does not properly restrict access to the functions in the BW-SYS-DB-DB4 function group, which allows remote authenticated users to obtain sensitive information via unspecified vectors. |
Total number of vulnerabilities : 12
Page :
1
(This Page)
|
|
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is
MITRE's CVE web site.
CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is
MITRE's CWE web site.
OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is
MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.
ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,
INDIRECT or any other kind of loss.
