Filtered by vendor Sap
Subscribe
Total
1568 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24325 | 1 Sap | 1 Businessobjects Enterprise | 2026-02-17 | N/A | 4.8 MEDIUM |
| SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application. | |||||
| CVE-2026-24326 | 1 Sap | 1 S\/4hana Defense \& Security | 2026-02-17 | N/A | 4.3 MEDIUM |
| Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application. | |||||
| CVE-2026-24327 | 1 Sap | 1 Strategic Enterprise Management | 2026-02-17 | N/A | 4.3 MEDIUM |
| Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availability. | |||||
| CVE-2026-24328 | 1 Sap | 1 Business Server Pages | 2026-02-17 | N/A | 6.1 MEDIUM |
| SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application. | |||||
| CVE-2026-0492 | 1 Sap | 1 Hana Database | 2026-01-27 | N/A | 8.8 HIGH |
| SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. | |||||
| CVE-2026-0513 | 1 Sap | 1 Supplier Relationship Management | 2026-01-22 | N/A | 4.7 MEDIUM |
| Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted. | |||||
| CVE-2026-0506 | 1 Sap | 1 Netweaver Application Server Abap | 2026-01-22 | N/A | 8.1 HIGH |
| Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. | |||||
| CVE-2026-0500 | 1 Sap | 1 Introscope Enterprise Manager | 2026-01-22 | N/A | 9.6 CRITICAL |
| Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system. | |||||
| CVE-2026-0498 | 1 Sap | 1 S\/4 Hana | 2026-01-22 | N/A | 9.1 CRITICAL |
| SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | |||||
| CVE-2025-42886 | 1 Sap | 1 Business Connector | 2026-01-16 | N/A | 6.1 MEDIUM |
| Due to a Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim accesses this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser context. This could allow the attacker to access or modify information within the victim�s browser scope, impacting confidentiality and integrity, while availability remains unaffected | |||||
| CVE-2025-42892 | 1 Sap | 1 Business Connector | 2026-01-16 | N/A | 6.8 MEDIUM |
| Due to an OS Command Injection vulnerability in SAP Business Connector, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. | |||||
| CVE-2025-42893 | 1 Sap | 1 Business Connector | 2026-01-16 | N/A | 6.1 MEDIUM |
| Due to an Open Redirect vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site displayed within an embedded frame. Successful exploitation could allow the attacker to steal sensitive information and perform unauthorized actions, impacting the confidentiality and integrity of web client data. There is no impact to system availability resulting from this vulnerability. | |||||
| CVE-2025-42894 | 1 Sap | 1 Business Connector | 2026-01-16 | N/A | 6.8 MEDIUM |
| Due to a Path Traversal vulnerability in SAP Business Connector, an attacker authenticated as an administrator with adjacent access could read, write, overwrite, and delete arbitrary files on the host system. Successful exploitation could enable the attacker to execute arbitrary operating system commands on the server, resulting in a complete compromise of the confidentiality, integrity, and availability of the affected system. | |||||
| CVE-2026-0514 | 1 Sap | 1 Business Connector | 2026-01-16 | N/A | 6.1 MEDIUM |
| Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability. | |||||
| CVE-2020-6207 | 1 Sap | 1 Solution Manager | 2025-10-31 | 10.0 HIGH | 9.8 CRITICAL |
| SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. | |||||
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-31 | 10.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | |||||
| CVE-2018-2380 | 1 Sap | 1 Customer Relationship Management | 2025-10-31 | 6.5 MEDIUM | 6.6 MEDIUM |
| SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. | |||||
| CVE-2019-0344 | 1 Sap | 1 Commerce Cloud | 2025-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | |||||
| CVE-2025-42999 | 1 Sap | 1 Netweaver | 2025-10-31 | N/A | 9.1 CRITICAL |
| SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | |||||
| CVE-2025-31324 | 1 Sap | 1 Netweaver | 2025-10-31 | N/A | 10.0 CRITICAL |
| SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. | |||||