| CVE-2017-16690 |
high |
7.8 |
7.8 |
|
|
sap |
9y ago |
A malicious DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity 2.3 and 15.0. It is possible that SAPSetup / NwSapSetup.exe loads system DLLs… |
| CVE-2017-16689 |
high |
8.8 |
8.8 |
|
|
sap |
9y ago |
A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established t… |
| CVE-2017-16682 |
high |
7.2 |
7.2 |
|
|
sap |
9y ago |
SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be execute… |
| CVE-2017-16680 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could al… |
| CVE-2017-15297 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993. |
| CVE-2017-15296 |
high |
8.8 |
8.8 |
|
|
sap |
9y ago |
The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. |
| CVE-2017-14581 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. |
| CVE-2017-14511 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through 617. When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to … |
| CVE-2014-8871 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5… |
| CVE-2017-9845 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918. |
| CVE-2017-9843 |
low |
2.7 |
2.7 |
|
|
sap |
9y ago |
SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service (process crash) via vectors involving disp+work.exe, aka SAP Security Note 2406841. |
| CVE-2017-8915 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to cause a denial of service (assertion failure and service crash) by pushing a package with a filename containing a $ (dollar s… |
| CVE-2017-8914 |
high |
8.3 |
8.3 |
|
|
sap |
9y ago |
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. |
| CVE-2017-8913 |
high |
8.8 |
8.8 |
|
|
sap |
9y ago |
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/se… |
| CVE-2017-8852 |
high |
7.8 |
8.8 |
EXP |
|
sap |
9y ago |
SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability. It could be exploited with a crafted CAR archive file received from an untrusted remote source. The problem is that the length of da… |
| CVE-2017-7717 |
high |
8.8 |
8.8 |
|
|
sap |
9y ago |
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified… |
| CVE-2017-7696 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_res… |
| CVE-2017-5997 |
high |
7.5 |
7.5 |
|
|
sap |
9y ago |
The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests wit… |
| CVE-2016-10079 |
high |
7.5 |
8.5 |
EXP |
|
sap |
10y ago |
SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515. |
| CVE-2017-5372 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for… |
| CVE-2016-10005 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to obtain sensitive information via webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd requests, aka SAP Security Note 2344524. |
| CVE-2016-9562 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP … |
| CVE-2016-7437 |
low |
3.3 |
3.3 |
|
|
sap |
10y ago |
SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the SAP Security Audit Log as non-critical, which might allow local users to hide rejected attempts to execute RFC function callbacks … |
| CVE-2016-3946 |
high |
7.8 |
7.8 |
|
|
sap |
10y ago |
SAP Console (aka SAPConsole) 7.30 allows local users to discover SAP Server login credentials by reading the Windows registry, aka SAP Security Note 2121461. |
| CVE-2016-3635 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connectio… |
| CVE-2016-4551 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the … |
| CVE-2016-6142 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to inject arbitrary audit trail fields into the SYSLOG via vectors related to the SQL protocol, aka SAP Security Note 2197459. |
| CVE-2016-6148 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a denial of service (process termination) or execute arbitrary code via vectors related to an IMPORT statement, aka SAP Security Note 22… |
| CVE-2016-6144 |
high |
8.1 |
8.1 |
|
|
sap |
10y ago |
The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False," … |
| CVE-2016-4018 |
high |
7.3 |
7.3 |
|
|
sap |
10y ago |
The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and … |
| CVE-2016-4017 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710. |
| CVE-2016-4015 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784. |
| CVE-2016-4014 |
high |
8.6 |
8.6 |
|
|
sap |
10y ago |
XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to ud… |
| CVE-2016-3980 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547. |
| CVE-2016-3979 |
high |
7.5 |
7.5 |
|
|
sap |
10y ago |
Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP req… |
| CVE-2015-8840 |
high |
8.8 |
8.8 |
|
|
sap |
10y ago |
The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly h… |
| CVE-2016-2536 |
high |
8.8 |
8.8 |
|
|
sapgoogle |
10y ago |
Multiple use-after-free vulnerabilities in SAP 3D Visual Enterprise Viewer allow remote attackers to execute arbitrary code via a crafted SketchUp document. NOTE: the primary affected product may be… |
| CVE-2016-2389 |
high |
7.5 |
8.5 |
EXP |
|
sap |
10y ago |
Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitra… |
| CVE-2015-8600 |
high |
— |
7.5 |
|
|
sap |
11y ago |
The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown vec… |
| CVE-2015-8330 |
high |
— |
7.8 |
|
|
sap |
11y ago |
The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619. |
| CVE-2015-7994 |
high |
— |
7.5 |
|
|
sap |
11y ago |
The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "SQL Login," aka SAP Security Note 2197428. |
| CVE-2015-7993 |
high |
— |
7.5 |
|
|
sap |
11y ago |
The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP Logi… |
| CVE-2015-7986 |
high |
— |
8.5 |
EXP |
|
sap |
11y ago |
The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note 21… |
| CVE-2015-7728 |
low |
— |
3.5 |
|
|
sap |
11y ago |
Cross-site scripting (XSS) vulnerability in user creation in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to inject arbitrary … |
| CVE-2015-7726 |
low |
— |
3.5 |
|
|
sap |
11y ago |
Cross-site scripting (XSS) vulnerability in role deletion in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allows remote authenticated users to inject arbitrary web script… |
| CVE-2015-6507 |
high |
— |
7.2 |
|
|
sap |
11y ago |
The hdbsql client 1.00.091.00 Build 1418659308-1530 in SAP HANA allows local users to cause a denial of service (memory corruption) and possibly have unspecified other impact via unknown vectors, aka… |
| CVE-2015-7239 |
high |
— |
7.5 |
|
|
sap |
11y ago |
SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2015-3449 |
high |
— |
7.2 |
|
|
sap |
11y ago |
The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse XeService… |
| CVE-2015-5068 |
high |
— |
7.5 |
|
|
sap |
11y ago |
XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security … |
| CVE-2015-5067 |
high |
— |
7.5 |
|
|
sap |
11y ago |
The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Notes … |
| CVE-2015-4161 |
high |
— |
7.5 |
|
|
sap |
11y ago |
SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown… |
| CVE-2015-4160 |
high |
— |
7.5 |
|
|
sap |
11y ago |
SQL injection vulnerability in SAP ASE Database Platform allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes: 2152278. |
| CVE-2015-4159 |
high |
— |
7.5 |
|
|
sap |
11y ago |
SQL injection vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes 2153892. |
| CVE-2015-2282 |
high |
— |
7.5 |
|
|
sap |
11y ago |
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Appl… |
| CVE-2015-4092 |
high |
— |
7.5 |
|
|
sap |
11y ago |
Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Secu… |
| CVE-2015-4091 |
high |
— |
7.5 |
|
|
sap |
11y ago |
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to t… |
| CVE-2015-3980 |
high |
— |
7.5 |
|
|
sap |
11y ago |
SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534. |
| CVE-2015-3979 |
high |
— |
7.5 |
|
|
sap |
11y ago |
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534. |
| CVE-2015-3978 |
low |
— |
2.1 |
|
|
sap |
11y ago |
SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830. |
| CVE-2015-2816 |
high |
— |
7.5 |
|
|
sap |
11y ago |
The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict access, which allows remote attackers to have unspecified impact via a crafted request, aka SAP Security Note 2134905. |
| CVE-2015-1312 |
high |
— |
7.5 |
|
|
sap |
12y ago |
The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown … |
| CVE-2014-9264 |
high |
— |
7.5 |
|
|
sap |
12y ago |
Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary code via a crafted column alias. |
| CVE-2014-8668 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SQL injection vulnerability in SAP Contract Accounting allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2014-8664 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SQL injection vulnerability in Product Safety (EHS-SAF) component in SAP Environment, Health, and Safety Management allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2014-8663 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SQL injection vulnerability in Data Basis (BW-WHM-DBA) in SAP NetWeaver Business Warehouse allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2014-8662 |
high |
— |
7.8 |
|
|
sap |
12y ago |
Unspecified vulnerability in SAP Payroll Process allows remote attackers to cause a denial of service via vectors related to session handling. |
| CVE-2014-8660 |
high |
— |
7.2 |
|
|
sap |
12y ago |
SAP Document Management Services allows local users to execute arbitrary commands via unspecified vectors. |
| CVE-2014-8587 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows remote attackers to spoof Digital Signature Algorithm (DSA) sign… |
| CVE-2014-8312 |
low |
— |
3.5 |
|
|
sap |
12y ago |
Business Warehouse (BW) in SAP Netweaver AS ABAP 7.31 allows remote authenticated users to obtain sensitive information via a request to the RSDU_CCMS_GET_PROFILE_PARAM RFC function. |
| CVE-2014-8311 |
low |
— |
3.5 |
|
|
sap |
12y ago |
SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener. |
| CVE-2014-8310 |
high |
— |
7.1 |
|
|
sap |
12y ago |
The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message. |
| CVE-2014-5175 |
high |
— |
7.5 |
|
|
sap |
12y ago |
The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS. |
| CVE-2014-5174 |
low |
— |
3.5 |
|
|
sap |
12y ago |
The SAP Netweaver Business Warehouse component does not properly restrict access to the functions in the BW-SYS-DB-DB4 function group, which allows remote authenticated users to obtain sensitive info… |
| CVE-2014-5171 |
low |
— |
2.9 |
|
|
sap |
12y ago |
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and othe… |
| CVE-2014-4003 |
high |
— |
7.5 |
|
|
sap |
12y ago |
The System Landscape Directory (SLD) in SAP NetWeaver allows remote attackers to modify information via vectors related to adding a system. |
| CVE-2014-2752 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SAP Business Object Processing Framework (BOPF) for ABAP has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
| CVE-2014-2751 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SAP Print and Output Management has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
| CVE-2014-2748 |
high |
— |
7.5 |
|
|
sap |
12y ago |
The Security Audit Log facility in SAP Enhancement Package (EHP) 6 for SAP ERP 6.0 allows remote attackers to modify or delete arbitrary log classes via unspecified vectors. NOTE: some of these deta… |
| CVE-2013-7367 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SAP Enterprise Portal does not properly restrict access to the Federation configuration pages, which allows remote attackers to gain privileges via unspecified vectors. |
| CVE-2013-7364 |
high |
— |
7.5 |
|
|
sap |
12y ago |
An unspecified J2EE core service in the J2EE Engine in SAP NetWeaver does not properly restrict access, which allows remote attackers to read and write to arbitrary files via unknown vectors. |
| CVE-2013-7363 |
high |
— |
7.5 |
|
|
sap |
12y ago |
Unspecified vulnerability in the Diagnostics (SMD) agent in SAP Solution Manager allows remote attackers to obtain sensitive information, modify the configuration of applications, and install or remo… |
| CVE-2013-7362 |
high |
— |
7.5 |
|
|
sap |
12y ago |
An unspecified RFC function in SAP CCMS Agent allows remote attackers to execute arbitrary commands via unknown vectors. |
| CVE-2013-7360 |
high |
— |
7.5 |
|
|
sap |
12y ago |
Unspecified vulnerability in SAP adminadapter allows remote attackers to read or write to arbitrary files via unknown vectors. |
| CVE-2013-7355 |
high |
— |
7.5 |
|
|
sap |
12y ago |
SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema. |
| CVE-2013-7096 |
high |
— |
7.5 |
|
|
sap |
13y ago |
Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2013-7094 |
high |
— |
7.5 |
|
|
sap |
13y ago |
SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2013-6869 |
high |
— |
7.5 |
|
|
sap |
13y ago |
SQL injection vulnerability in the SRTT_GET_COUNT_BEFORE_KEY_RFC function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2013-6284 |
high |
— |
7.5 |
|
|
sap |
13y ago |
Unspecified vulnerability in the Statutory Reporting for Insurance (FS_SR) component in the Financial Services module for SAP ERP Central Component (ECC) allows attackers to execute arbitrary code vi… |
| CVE-2013-5723 |
high |
— |
7.5 |
|
|
sap |
13y ago |
SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "ABAD0_DELETE_DERIVATION_TABLE." |
