In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.
Source: SAP SE
Max CVSS
7.2
EPSS Score
0.04%
Published
2024-07-09
Updated
2024-07-09
Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.
Source: SAP SE
Max CVSS
7.7
EPSS Score
0.04%
Published
2024-07-09
Updated
2024-07-09
Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.04%
Published
2024-06-11
Updated
2024-06-11
SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API's. Thus, causing a considerable impact on confidentiality, integrity and availability of the application.
Source: SAP SE
Max CVSS
7.2
EPSS Score
0.04%
Published
2024-04-09
Updated
2024-04-09
Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application.
Source: SAP SE
Max CVSS
7.7
EPSS Score
0.04%
Published
2024-04-09
Updated
2024-04-09
Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system.
Source: SAP SE
Max CVSS
7.4
EPSS Score
0.05%
Published
2024-02-13
Updated
2024-06-10
Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.09%
Published
2024-01-09
Updated
2024-01-12
Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.09%
Published
2024-01-09
Updated
2024-01-22
SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system.
Source: SAP SE
Max CVSS
7.3
EPSS Score
0.05%
Published
2024-01-09
Updated
2024-01-30
SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP.
Source: SAP SE
Max CVSS
7.3
EPSS Score
0.05%
Published
2023-12-12
Updated
2023-12-19
SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application.
Source: SAP SE
Max CVSS
7.6
EPSS Score
0.05%
Published
2023-12-12
Updated
2023-12-13
SAP BusinessObjects Suite Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. On successful exploitation the attacker can delete all the operating system files causing a limited impact on integrity and completely compromising the availability of the system.
Source: SAP SE
Max CVSS
7.1
EPSS Score
0.04%
Published
2023-09-12
Updated
2023-09-13
SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact availability of SAP PowerDesigner Client.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.05%
Published
2023-10-10
Updated
2023-10-11
SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.05%
Published
2023-09-12
Updated
2023-09-15
An attacker with standard privileges on macOS when requesting administrator privileges from the application can submit input which causes a buffer overflow resulting in a crash of the application. This could make the application unavailable and allow reading or modification of data.
Source: SAP SE
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-09-28
Updated
2023-10-02
SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application.
Source: SAP SE
Max CVSS
7.6
EPSS Score
0.05%
Published
2023-08-08
Updated
2023-08-09
Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on confidentiality with no impact on integrity and availability of the application.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-08-08
Updated
2023-08-15
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach.
Source: SAP SE
Max CVSS
7.2
EPSS Score
0.07%
Published
2023-07-11
Updated
2023-07-18
SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application.
Source: SAP SE
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-08-08
Updated
2023-08-15
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application.
Source: SAP SE
Max CVSS
7.2
EPSS Score
0.07%
Published
2023-07-11
Updated
2023-07-18
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-07-11
Updated
2023-07-18
SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.
Source: SAP SE
Max CVSS
7.4
EPSS Score
0.06%
Published
2023-07-11
Updated
2023-07-19
When creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable.
Source: SAP SE
Max CVSS
7.3
EPSS Score
0.07%
Published
2023-07-11
Updated
2023-07-19
B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and availability of the application.
Source: SAP SE
Max CVSS
7.5
EPSS Score
0.06%
Published
2023-08-08
Updated
2023-08-15
SAP SQL Anywhere - version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing the service. An attacker with low privileged account and access to the local system can write into the shared memory objects. This can be leveraged by an attacker to perform a Denial of Service. Further, an attacker might be able to modify sensitive data in shared memory objects.This issue only affects SAP SQL Anywhere on Windows. Other platforms are not impacted.
Source: SAP SE
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-07-11
Updated
2023-07-19
316 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!