Filtered by vendor Sap
Subscribe
Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27680 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 3.1 LOW |
| Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted. | |||||
| CVE-2026-27682 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 4.7 MEDIUM |
| Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability. | |||||
| CVE-2026-34257 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 6.1 MEDIUM |
| Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability. | |||||
| CVE-2026-27674 | 1 Sap | 1 Netweaver Application Server Java | 2026-06-03 | N/A | 6.1 MEDIUM |
| Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability. | |||||
| CVE-2026-24310 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 3.5 LOW |
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentiality with no effect on the integrity and availability. | |||||
| CVE-2026-27688 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 5.0 MEDIUM |
| Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected. | |||||
| CVE-2026-24316 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 6.4 MEDIUM |
| SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application. | |||||
| CVE-2026-24309 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 6.4 MEDIUM |
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality. | |||||
| CVE-2026-40135 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 6.5 MEDIUM |
| An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality. | |||||
| CVE-2017-10701 | 1 Sap | 1 Enterprise Portal | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516. | |||||
| CVE-2017-9845 | 1 Sap | 1 Netweaver | 2026-05-13 | 7.8 HIGH | 7.5 HIGH |
| disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918. | |||||
| CVE-2017-5997 | 1 Sap | 1 Sap Kernel | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972. | |||||
| CVE-2017-16685 | 1 Sap | 1 Business Warehouse Universal Data Integration | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data Integration, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to insufficient encoding of user controlled inputs. | |||||
| CVE-2017-15294 | 1 Sap | 1 Customer Relationship Management | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. | |||||
| CVE-2017-15295 | 1 Sap | 1 Point Of Sale Xpress Server | 2026-05-13 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | |||||
| CVE-2017-15297 | 1 Sap | 1 Host Agent | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993. | |||||
| CVE-2017-16690 | 1 Sap | 1 Plant Connectivity | 2026-05-13 | 6.8 MEDIUM | 7.8 HIGH |
| A malicious DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity 2.3 and 15.0. It is possible that SAPSetup / NwSapSetup.exe loads system DLLs like DWMAPI.dll (located in your Syswow64 / System32 folder) from the folder the executable is in and not from the system location. The desired behavior is that system dlls are only loaded from the system folders. If a dll with the same name as the system dll is located in the same folder as the executable, this dll is loaded and code is executed. | |||||
| CVE-2017-11458 | 1 Sap | 1 Netweaver Application Server Java | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. | |||||
| CVE-2017-8913 | 1 Sap | 1 Netweaver Application Server Java | 2026-05-13 | 6.5 MEDIUM | 8.8 HIGH |
| The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | |||||
| CVE-2016-10079 | 1 Sap | 1 Saplpd | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515. | |||||