| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The SAP CRM Internet Sales module allows remote attackers to execute arbitrary commands via unspecified vectors. |
| SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the SAP Security Audit Log as non-critical, which might allow local users to hide rejected attempts to execute RFC function callbacks by leveraging filtering of non-critical events in audit analysis reports, aka SAP Security Note 2252312. |
| SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows remote attackers to spoof Digital Signature Algorithm (DSA) signatures via unspecified vectors. |
| SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener. |
| XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request. |
| Multiple cross-site scripting (XSS) vulnerabilities in the testcanvas node in SAP NetWeaver Business Client (NWBC) allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) sap-accessibility parameter. |
| Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary code via a crafted column alias. |
| XML external entity (XXE) vulnerability in the Web Service Navigator in SAP NetWeaver Application Server (AS) Java allows remote attackers to access arbitrary files via a crafted request. |
| Double free vulnerability in SAP Crystal Reports allows remote attackers to execute arbitrary code via crafted connection string record in an RPT file. |
| The Standalone Enqueue Server in SAP Netweaver 7.20, 7.01, and earlier allows remote attackers to cause a denial of service (uncontrolled recursion and crash) via a trace level with a wildcard in the Trace Pattern. |
| Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP request, related to the IctParseCookies function, aka SAP Security Note 2256185. |
| Unspecified vulnerability in the SAP CCMS / Database Monitors for Oracle allows attackers to obtain the database password via unknown vectors. |
| Stack-based buffer overflow in SAP Crystal Reports allows remote attackers to execute arbitrary code via a crafted data source string in an RPT file. |
| Unspecified vulnerability in SAP Guided Procedures Archive Monitor allows remote attackers to obtain usernames, roles, profiles, and possibly other identity information via unknown vectors. |
| Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571. |
| SAP FI Manager Self-Service has a hard-coded user name, which makes it easier for remote attackers to obtain access via unspecified vectors. |
| The SAP Netweaver Business Warehouse component does not properly restrict access to the functions in the BW-SYS-DB-DB4 function group, which allows remote authenticated users to obtain sensitive information via unspecified vectors. |
| SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public. |
| Multiple cross-site scripting (XSS) vulnerabilities in the XS Administration Tools in SAP HANA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network. |