Filtered by vendor Sap
Subscribe
Total
1531 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6207 | 1 Sap | 1 Solution Manager | 2025-10-31 | 10.0 HIGH | 9.8 CRITICAL |
| SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. | |||||
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-31 | 10.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | |||||
| CVE-2018-2380 | 1 Sap | 1 Customer Relationship Management | 2025-10-31 | 6.5 MEDIUM | 6.6 MEDIUM |
| SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. | |||||
| CVE-2019-0344 | 1 Sap | 1 Commerce Cloud | 2025-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | |||||
| CVE-2025-42999 | 1 Sap | 1 Netweaver | 2025-10-31 | N/A | 9.1 CRITICAL |
| SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | |||||
| CVE-2025-31324 | 1 Sap | 1 Netweaver | 2025-10-31 | N/A | 10.0 CRITICAL |
| SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. | |||||
| CVE-2024-37180 | 1 Sap | 1 Sap Basis | 2025-10-29 | N/A | 4.1 MEDIUM |
| Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be restricted, the function can be used to read non-sensitive information with low impact on confidentiality of the application. | |||||
| CVE-2024-39594 | 1 Sap | 2 Business Warehouse, Business Warehouse Virtual Comp | 2025-10-29 | N/A | 6.1 MEDIUM |
| SAP Business Warehouse - Business Planning and Simulation application does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause low impact on the confidentiality and integrity of the application. | |||||
| CVE-2024-25646 | 1 Sap | 1 Businessobjects Web Intelligence | 2025-10-29 | N/A | 7.7 HIGH |
| Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application. | |||||
| CVE-2024-39595 | 1 Sap | 2 Business Warehouse, Business Warehouse Virtual Comp | 2025-10-28 | N/A | 5.4 MEDIUM |
| SAP Business Warehouse - Business Planning and Simulation application does not sufficiently encode user-controlled inputs, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows users to modify website content and on successful exploitation, an attacker can cause low impact to the confidentiality and integrity of the application. | |||||
| CVE-2024-39599 | 1 Sap | 1 Sap Basis | 2025-10-28 | N/A | 4.7 MEDIUM |
| Due to a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform, a developer can bypass the configured malware scanner API because of a programming error. This leads to a low impact on the application's confidentiality, integrity, and availability. | |||||
| CVE-2024-45281 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-28 | N/A | 5.8 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application. | |||||
| CVE-2024-32732 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-28 | N/A | 5.3 MEDIUM |
| Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application. | |||||
| CVE-2025-42968 | 1 Sap | 1 Netweaver | 2025-10-27 | N/A | 5.0 MEDIUM |
| SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. | |||||
| CVE-2025-42986 | 1 Sap | 1 Sap Basis | 2025-10-27 | N/A | 4.3 MEDIUM |
| Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. | |||||
| CVE-2025-42956 | 1 Sap | 1 Sap Basis | 2025-10-27 | N/A | 6.1 MEDIUM |
| SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application. | |||||
| CVE-2025-0053 | 1 Sap | 1 Sap Basis | 2025-10-24 | N/A | 5.3 MEDIUM |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits. | |||||
| CVE-2025-0058 | 1 Sap | 1 Sap Basis | 2025-10-24 | N/A | 6.5 MEDIUM |
| In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable. | |||||
| CVE-2025-0060 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | N/A | 6.5 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. The attacker could further use this information to impersonate as a high privileged user causing high impact on confidentiality and integrity of the application. | |||||
| CVE-2025-0061 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | N/A | 8.7 HIGH |
| SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application. | |||||