Filtered by vendor Sap
Subscribe
Total
1531 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-0063 | 1 Sap | 1 Sap Basis | 2025-10-24 | N/A | 8.8 HIGH |
| SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability. | |||||
| CVE-2025-25245 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | N/A | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. | |||||
| CVE-2025-31332 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | N/A | 6.6 MEDIUM |
| Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high impact on integrity and availability. However, this vulnerability does not disclose any sensitive data. | |||||
| CVE-2025-42920 | 1 Sap | 1 Supplier Relationship Management | 2025-10-24 | N/A | 6.1 MEDIUM |
| Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected. | |||||
| CVE-2024-34687 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 6.5 MEDIUM |
| SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system. | |||||
| CVE-2025-0066 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 9.9 CRITICAL |
| Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application | |||||
| CVE-2025-0064 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | N/A | 8.7 HIGH |
| Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high impact on confidentiality and integrity, with no impact on availability. | |||||
| CVE-2025-23193 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 5.3 MEDIUM |
| SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability. | |||||
| CVE-2025-30009 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 6.1 MEDIUM |
| he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application | |||||
| CVE-2025-30010 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 6.1 MEDIUM |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application. | |||||
| CVE-2025-30011 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 5.3 MEDIUM |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application. | |||||
| CVE-2025-30012 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 10.0 CRITICAL |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application. | |||||
| CVE-2025-30018 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 8.6 HIGH |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application. | |||||
| CVE-2025-23192 | 1 Sap | 1 Businessobjects Business Intelligence | 2025-10-23 | N/A | 8.2 HIGH |
| SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability. | |||||
| CVE-2025-42988 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | N/A | 3.7 LOW |
| Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application. | |||||
| CVE-2025-42911 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 5.0 MEDIUM |
| SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application | |||||
| CVE-2025-42918 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 4.3 MEDIUM |
| SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability | |||||
| CVE-2025-42926 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-23 | N/A | 5.3 MEDIUM |
| SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server. | |||||
| CVE-2025-42936 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 5.4 MEDIUM |
| The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability. | |||||
| CVE-2024-33004 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | N/A | 4.3 MEDIUM |
| SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | |||||