Filtered by vendor Sap
Subscriptions
Total
1501 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-7717 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-20 | 8.8 High |
| SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. | ||||
| CVE-2017-6950 | 1 Sap | 1 Gui For Windows | 2025-04-20 | N/A |
| SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616. | ||||
| CVE-2017-5997 | 1 Sap | 1 Sap Kernel | 2025-04-20 | N/A |
| The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972. | ||||
| CVE-2017-6061 | 1 Sap | 1 Businessobjects Financial Consolidation | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor response is SAP Security Note 2368106. | ||||
| CVE-2017-5372 | 1 Sap | 1 Netweaver | 2025-04-20 | N/A |
| The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908. | ||||
| CVE-2017-16678 | 1 Sap | 4 Epbc, Epbc2, Kmc-bc and 1 more | 2025-04-20 | N/A |
| Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application. | ||||
| CVE-2017-16679 | 1 Sap | 1 Sap Kernel | 2025-04-20 | N/A |
| URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site. | ||||
| CVE-2017-16680 | 1 Sap | 1 Hana Extended Application Services | 2025-04-20 | N/A |
| Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines. Hence the interpretation of audit log files could be hindered or misdirected. 2) User Account and Authentication writes audit logs into syslog and additionally writes the same audit entries into a log file. Entries in the log file miss escaping. Hence the interpretation of audit log files could be hindered or misdirected, while the entries in syslog are correct. | ||||
| CVE-2017-16681 | 1 Sap | 1 Business Intelligence Promotion Management Application | 2025-04-20 | N/A |
| Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, 4.30, as user controlled inputs are not sufficiently encoded. | ||||
| CVE-2017-16682 | 1 Sap | 2 Business Application Software Integrated Solution, Netweaver Internet Transaction Server | 2025-04-20 | N/A |
| SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application. | ||||
| CVE-2017-16683 | 1 Sap | 1 Businessobjects | 2025-04-20 | N/A |
| Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service. | ||||
| CVE-2017-16684 | 1 Sap | 1 Business Intelligence Promotion Management Application | 2025-04-20 | N/A |
| SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity. | ||||
| CVE-2017-16685 | 1 Sap | 1 Business Warehouse Universal Data Integration | 2025-04-20 | N/A |
| Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data Integration, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to insufficient encoding of user controlled inputs. | ||||
| CVE-2017-16687 | 1 Sap | 1 Hana Database | 2025-04-20 | N/A |
| The user self-service tools of SAP HANA extended application services, classic user self-service, a part of SAP HANA Database versions 1.00 and 2.00, can be misused to enumerate valid and invalid user accounts. An unauthenticated user could use the error messages to determine if a given username is valid. | ||||
| CVE-2017-16689 | 1 Sap | 1 Sap Kernel | 2025-04-20 | N/A |
| A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined. | ||||
| CVE-2017-16690 | 1 Sap | 1 Plant Connectivity | 2025-04-20 | N/A |
| A malicious DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity 2.3 and 15.0. It is possible that SAPSetup / NwSapSetup.exe loads system DLLs like DWMAPI.dll (located in your Syswow64 / System32 folder) from the folder the executable is in and not from the system location. The desired behavior is that system dlls are only loaded from the system folders. If a dll with the same name as the system dll is located in the same folder as the executable, this dll is loaded and code is executed. | ||||
| CVE-2017-16691 | 1 Sap | 1 Business Application Software Integrated Solution | 2025-04-20 | N/A |
| SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted. | ||||
| CVE-2017-15293 | 1 Sap | 1 Point Of Sale Xpress Server | 2025-04-20 | N/A |
| Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064. | ||||
| CVE-2017-15294 | 1 Sap | 1 Customer Relationship Management | 2025-04-20 | N/A |
| The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. | ||||
| CVE-2017-15295 | 1 Sap | 1 Point Of Sale Xpress Server | 2025-04-20 | N/A |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | ||||