| CVE |
Vendors |
Products |
Updated |
CVSS |
| CVE-2018-2420 |
1 Sap |
1 Internet Graphics Server |
2019-10-09 |
7.5 |
| SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to upload any file (including script files) without proper file format validation. |
| CVE-2018-2408 |
1 Sap |
1 Businessobjects |
2019-10-09 |
7.5 |
| Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. |
| CVE-2018-2404 |
1 Sap |
1 Disclosure Management |
2019-10-09 |
7.5 |
| SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation. |
| CVE-2017-6950 |
1 Sap |
1 Gui For Windows |
2019-10-03 |
7.5 |
| SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616. |
| CVE-2017-15293 |
1 Sap |
1 Point Of Sale Xpress Server |
2019-10-03 |
10.0 |
| Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064. |
| CVE-2017-8914 |
1 Sap |
1 Hana Xs |
2019-10-03 |
7.5 |
| sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. |
| CVE-2017-15295 |
1 Sap |
1 Point Of Sale Xpress Server |
2019-10-03 |
10.0 |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. |
| CVE-2019-0365 |
1 Sap |
5 Sap Kernel, Sap Kernel Krnl32nuc, Sap Kernel Krnl32uc and 2 more |
2019-09-11 |
7.8 |
| SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC, before versions 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL before versions 7.21, 7.49, 7.53, 7.73, 7.76 SAP GUI for Windows... |
| CVE-2019-0344 |
1 Sap |
1 Commerce Cloud |
2019-08-26 |
7.5 |
| Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. |
| CVE-2019-0328 |
1 Sap |
1 Netweaver Process Integration |
2019-07-18 |
9.0 |
| ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights. An attacker could thereby impact the integrity and availability... |
| CVE-2019-0304 |
1 Sap |
5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more |
2019-06-14 |
7.5 |
| FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21,... |
| CVE-2019-0261 |
1 Sap |
1 Landscape Management |
2019-02-26 |
7.5 |
| Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP... |
| CVE-2019-0259 |
1 Sap |
1 Businessobjects |
2019-02-20 |
7.5 |
| SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation. |
| CVE-2017-9845 |
1 Sap |
1 Netweaver |
2018-12-10 |
7.8 |
| disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918. |
| CVE-2017-9844 |
1 Sap |
1 Netweaver |
2018-12-10 |
7.5 |
| SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. |
| CVE-2017-11459 |
1 Sap |
1 Trex |
2018-12-10 |
7.5 |
| SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592. |
| CVE-2016-6818 |
1 Sap |
1 Business Intelligence Platform |
2018-12-10 |
10.0 |
| SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly... |
| CVE-2016-4018 |
1 Sap |
1 Hana |
2018-12-10 |
7.5 |
| The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and conduct unspecified other attacks via... |
| CVE-2016-4014 |
1 Sap |
1 Netweaver |
2018-12-10 |
9.0 |
| XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389. |
| CVE-2016-3974 |
1 Sap |
1 Netweaver |
2018-12-10 |
7.5 |
| XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to... |
