Filtered by vendor Sap
Subscribe
Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30010 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 6.1 MEDIUM |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application. | |||||
| CVE-2025-30011 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 5.3 MEDIUM |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application. | |||||
| CVE-2025-30012 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 10.0 CRITICAL |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application. | |||||
| CVE-2025-30018 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 8.6 HIGH |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application. | |||||
| CVE-2025-23192 | 1 Sap | 1 Businessobjects Business Intelligence | 2025-10-23 | N/A | 8.2 HIGH |
| SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability. | |||||
| CVE-2025-42988 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | N/A | 3.7 LOW |
| Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application. | |||||
| CVE-2025-42911 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 5.0 MEDIUM |
| SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application | |||||
| CVE-2025-42918 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 4.3 MEDIUM |
| SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability | |||||
| CVE-2025-42926 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-23 | N/A | 5.3 MEDIUM |
| SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server. | |||||
| CVE-2025-42936 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 5.4 MEDIUM |
| The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability. | |||||
| CVE-2024-33004 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | N/A | 4.3 MEDIUM |
| SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | |||||
| CVE-2024-28165 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | N/A | 8.1 HIGH |
| SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL which could lead to high impact on Confidentiality and Integrity of the application | |||||
| CVE-2022-39801 | 1 Sap | 1 Access Control | 2025-06-10 | N/A | 7.5 HIGH |
| SAP GRC Access control Emergency Access Management allows an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad. This attack can be launched only within the firewall. On successful exploitation the attacker can gain access to admin session and completely compromise the application. | |||||
| CVE-2022-39799 | 1 Sap | 1 Netweaver Application Server Abap | 2025-06-10 | N/A | 6.1 MEDIUM |
| An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user. | |||||
| CVE-2022-41201 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-06-05 | N/A | 7.8 HIGH |
| Due to lack of proper memory management, when a victim opens a manipulated Right Hemisphere Binary (.rh, rh.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | |||||
| CVE-2018-2398 | 1 Sap | 1 Business Client | 2025-05-27 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions SAP Business Client 6.5 allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2020-6228 | 1 Sap | 1 Business Client | 2025-05-27 | 4.3 MEDIUM | 7.5 HIGH |
| SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer. | |||||
| CVE-2020-6244 | 1 Sap | 1 Business Client | 2025-05-27 | 4.4 MEDIUM | 7.8 HIGH |
| SAP Business Client, version 7.0, allows an attacker after a successful social engineering attack to inject malicious code as a DLL file in untrusted directories that can be executed by the application, due to uncontrolled search path element. An attacker could thereby control the behavior of the application. | |||||
| CVE-2021-38150 | 1 Sap | 1 Business Client | 2025-05-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid. | |||||
| CVE-2022-41191 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-05-20 | N/A | 7.8 HIGH |
| Due to lack of proper memory management, when a victim opens a manipulated Jupiter Tesselation (.jt, JTReader.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | |||||