Filtered by vendor Sap
Subscriptions
Total
1581 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-24874 | 1 Sap | 1 Commerce Backoffice | 2025-07-23 | 6.8 Medium |
| SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information. | ||||
| CVE-2025-42986 | 1 Sap | 2 Abap Platform, Netweaver | 2025-07-13 | 4.3 Medium |
| Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. | ||||
| CVE-2025-42953 | 1 Sap | 1 Netweaver | 2025-07-13 | 8.1 High |
| SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system. | ||||
| CVE-2024-44120 | 1 Sap | 1 Netweaver Enterprise Portal | 2025-07-13 | 4.7 Medium |
| SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser. | ||||
| CVE-2024-47580 | 1 Sap | 1 Netweaver | 2025-07-13 | 6.8 Medium |
| An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability. | ||||
| CVE-2025-43001 | 1 Sap | 1 Sapcar | 2025-07-13 | 6.9 Medium |
| SAPCAR allows an attacker logged in with high privileges to override the permissions of the current and parent directories of the user or process extracting the archive, leading to privilege escalation. On successful exploitation, an attacker could modify the critical files by tampering with signed archives without breaking the signature, but it has a low impact on the confidentiality and availability of the system. | ||||
| CVE-2024-32733 | 1 Sap | 1 Netweaver | 2025-07-12 | 6.1 Medium |
| Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application | ||||
| CVE-2025-42989 | 1 Sap | 1 Netweaver Application Server For Abap | 2025-07-12 | 9.6 Critical |
| RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application. | ||||
| CVE-2025-42992 | 1 Sap | 1 Sapcar | 2025-07-12 | 6.9 Medium |
| SAPCAR allows an attacker logged in with high privileges to create a malicious SAR archive in SAPCAR. This could enable the attacker to exploit critical files and directory permissions without breaking signature validation, resulting in potential privilege escalation. This has high impact on integrity, but low impact on confidentiality and availability of the system. | ||||
| CVE-2025-42961 | 1 Sap | 1 Netweaver Application Server For Abap | 2025-07-12 | 4.9 Medium |
| Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging overly permissive access configurations, unauthorized reading of critical data is possible, resulting in a significant impact on the confidentiality of the information stored. However, the integrity and availability of the system remain unaffected. | ||||
| CVE-2025-30017 | 1 Sap | 1 Solution Manager | 2025-07-12 | 4.4 Medium |
| Due to a missing authorization check, an authenticated attacker could upload a file as a template for solution documentation in SAP Solution Manager 7.1. After successful exploitation, an attacker can cause limited impact on the integrity and availability of the application. | ||||
| CVE-2024-22125 | 1 Sap | 1 Gui Connector | 2025-06-17 | 7.4 High |
| Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality. | ||||
| CVE-2024-21735 | 1 Sap | 1 Lt Replication Server | 2025-06-17 | 7.3 High |
| SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system. | ||||
| CVE-2025-0070 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2025-06-16 | 9.9 Critical |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability. | ||||
| CVE-2023-31403 | 1 Sap | 1 Business One | 2025-06-11 | 9.6 Critical |
| SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability. | ||||
| CVE-2022-39801 | 1 Sap | 1 Access Control | 2025-06-10 | 7.5 High |
| SAP GRC Access control Emergency Access Management allows an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad. This attack can be launched only within the firewall. On successful exploitation the attacker can gain access to admin session and completely compromise the application. | ||||
| CVE-2022-39799 | 1 Sap | 1 Netweaver Application Server Abap | 2025-06-10 | 6.1 Medium |
| An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user. | ||||
| CVE-2022-41201 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-06-05 | 7.8 High |
| Due to lack of proper memory management, when a victim opens a manipulated Right Hemisphere Binary (.rh, rh.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | ||||
| CVE-2024-21737 | 1 Sap | 1 Application Interface Framework | 2025-06-03 | 8.4 High |
| In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability. | ||||
| CVE-2024-21738 | 1 Sap | 1 Netweaver Application Server Abap | 2025-06-03 | 4.1 Medium |
| SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation. | ||||