Search Results (1700 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-6256 1 Sap 1 Business One 2025-04-20 N/A
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.
CVE-2017-11457 1 Sap 1 Netweaver Application Server Java 2025-04-20 6.5 Medium
XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.
CVE-2016-6143 1 Sap 1 Hana 2025-04-20 N/A
SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806.
CVE-2017-8852 1 Sap 1 Sapcar 2025-04-20 N/A
SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability. It could be exploited with a crafted CAR archive file received from an untrusted remote source. The problem is that the length of data written is an arbitrary number found within the file. The vendor response is SAP Security Note 2441560.
CVE-2017-10701 1 Sap 1 Enterprise Portal 2025-04-20 N/A
Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516.
CVE-2017-16684 1 Sap 1 Business Intelligence Promotion Management Application 2025-04-20 N/A
SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity.
CVE-2017-7717 1 Sap 1 Netweaver Application Server Java 2025-04-20 8.8 High
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
CVE-2017-5372 1 Sap 1 Netweaver 2025-04-20 N/A
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
CVE-2017-11460 1 Sap 1 Netweaver Portal 2025-04-20 N/A
Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535.
CVE-2017-11459 1 Sap 1 Trex 2025-04-20 N/A
SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592.
CVE-2017-14511 1 Sap 1 E-recruiting 2025-04-20 N/A
An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through 617. When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers can register and confirm email addresses that they do not have access to (candidate_hrobject is predictable and corr_act_guid is improperly validated). Furthermore, since an email address can be registered only once, an attacker could prevent other legitimate users from registering. This is SAP Security Note 2507798.
CVE-2017-15295 1 Sap 1 Point Of Sale Xpress Server 2025-04-20 N/A
Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064.
CVE-2017-8915 1 Sap 1 Hana Xs 2025-04-20 N/A
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to cause a denial of service (assertion failure and service crash) by pushing a package with a filename containing a $ (dollar sign) or % (percent) character, aka SAP Security Note 2407694.
CVE-2017-15297 1 Sap 1 Host Agent 2025-04-20 N/A
SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993.
CVE-2017-8913 1 Sap 1 Netweaver Application Server Java 2025-04-20 8.8 High
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.
CVE-2017-16691 1 Sap 1 Business Application Software Integrated Solution 2025-04-20 N/A
SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted.
CVE-2017-6061 1 Sap 1 Businessobjects Financial Consolidation 2025-04-20 N/A
Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor response is SAP Security Note 2368106.
CVE-2017-8914 1 Sap 1 Hana Xs 2025-04-20 N/A
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694.
CVE-2017-16689 1 Sap 1 Sap Kernel 2025-04-20 N/A
A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined.
CVE-2017-9843 1 Sap 1 Netweaver Abap 2025-04-20 2.7 Low
SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service (process crash) via vectors involving disp+work.exe, aka SAP Security Note 2406841.