CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SAP : Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-33699 2021-08-10 2021-08-17
3.3
None Local Network Low Not required Partial None None
Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unauthorized attacker or malware to takeover legitimate apps and to steal user's sensitive information.
2 CVE-2021-33696 79 XSS 2021-09-15 2021-09-28
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from a Web site.
3 CVE-2021-33694 79 Exec Code XSS 2021-09-15 2021-09-28
3.5
None Remote Medium ??? None Partial None
SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.
4 CVE-2021-33682 79 Exec Code XSS 2021-07-14 2021-07-16
3.5
None Remote Medium ??? None Partial None
SAP Lumira Server version 2.4 does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with basic level privileges to store a malicious script on SAP Lumira Server. The execution of the script content, by a victim registered on SAP Lumira Server, could compromise the confidentiality and integrity of SAP Lumira content.
5 CVE-2021-33679 79 XSS 2021-09-14 2021-09-24
3.5
None Remote Medium ??? None Partial None
The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity.
6 CVE-2021-33665 79 XSS 2021-06-09 2021-06-16
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
7 CVE-2021-33664 79 XSS 2021-06-09 2021-06-16
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
8 CVE-2021-27615 79 XSS 2021-06-09 2021-06-16
3.5
None Remote Medium ??? None Partial None
SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks.
9 CVE-2021-27614 74 Exec Code 2021-05-11 2021-05-21
3.6
None Local Low Not required None Partial Partial
SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application thereby highly impacting the integrity and availability of the application.
10 CVE-2021-27601 79 XSS 2021-04-13 2021-04-20
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.
11 CVE-2021-27600 79 Exec Code XSS 2021-04-13 2021-04-16
3.5
None Remote Medium ??? None Partial None
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server cannot be impacted.
12 CVE-2021-21489 79 Exec Code XSS 2021-09-14 2021-09-22
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content.
13 CVE-2021-21470 611 2021-01-12 2021-01-14
3.6
None Local Low Not required None Partial Partial
SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application.
14 CVE-2021-21447 79 XSS 2021-01-12 2021-03-04
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting.
15 CVE-2021-21445 444 XSS 2021-01-12 2021-03-04
3.5
None Remote Medium ??? None Partial None
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking.
16 CVE-2020-6370 79 XSS 2020-10-20 2020-10-22
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
17 CVE-2020-6368 79 XSS +Info 2020-10-15 2020-10-19
3.5
None Remote Medium ??? None Partial None
SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.
18 CVE-2020-6326 79 XSS 2020-09-09 2020-09-14
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting.
19 CVE-2020-6312 79 XSS 2020-09-09 2020-09-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), versions - 4.1, 4.2, allows an attacker with a non-administrative user account that can edit certain web page properties, can modify how a browser processes particular page elements, leading to stored Cross Site Scripting. In certain situations, when a user accesses an affected web page element, the attacker will be able to access or modify metadata for which they are not authorized.
20 CVE-2020-6303 79 XSS 2020-01-14 2020-01-24
3.5
None Remote Medium ??? None Partial None
SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting.
21 CVE-2020-6300 79 XSS 2020-08-12 2020-08-13
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Central Management Console), versions- 4.2, 4.3, allows an attacker with administrator rights can use the web application to send malicious code to a different end user (victim), as it does not sufficiently encode user-controlled inputs for RecycleBin, resulting in Stored Cross-Site Scripting (XSS) vulnerability.
22 CVE-2020-6285 200 +Info 2020-07-14 2021-07-21
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
23 CVE-2020-6278 79 XSS 2020-07-14 2020-07-14
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting
24 CVE-2020-6272 79 XSS 2020-10-15 2020-10-19
3.5
None Remote Medium ??? None Partial None
SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability.
25 CVE-2020-6257 79 XSS 2020-05-12 2020-05-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
26 CVE-2020-6231 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
27 CVE-2020-6226 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
28 CVE-2020-6224 200 +Info 2020-04-14 2021-07-21
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
29 CVE-2020-6222 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
30 CVE-2020-6221 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
31 CVE-2020-6200 79 XSS 2020-03-10 2020-03-11
3.5
None Remote Medium ??? None Partial None
The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework.
32 CVE-2020-6185 79 XSS 2020-02-12 2020-02-19
3.5
None Remote Medium ??? None Partial None
Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.
33 CVE-2019-0395 79 XSS 2019-12-11 2019-12-17
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.
34 CVE-2019-0385 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
35 CVE-2019-0382 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Privileges are required in order to exploit this vulnerability.
36 CVE-2019-0378 79 XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the file name of the background image resulting in Stored Cross-Site Scripting.
37 CVE-2019-0377 79 XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the input controls, resulting in Stored Cross-Site Scripting.
38 CVE-2019-0376 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting.
39 CVE-2019-0375 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site Scripting.
40 CVE-2019-0374 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting
41 CVE-2019-0369 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability.
42 CVE-2019-0368 79 XSS 2019-10-08 2019-10-17
3.5
None Remote Medium ??? None Partial None
SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.
43 CVE-2019-0318 2019-07-10 2020-08-24
3.5
None Remote Medium ??? Partial None None
Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.
44 CVE-2019-0316 79 XSS 2019-06-14 2020-02-10
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.
45 CVE-2019-0308 94 Exec Code 2019-06-12 2021-07-21
3.5
None Remote Medium ??? None Partial None
An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.
46 CVE-2019-0284 611 2019-04-10 2019-04-11
3.6
None Local Low Not required Partial None Partial
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.
47 CVE-2019-0275 79 XSS 2019-03-12 2021-09-09
3.5
None Remote Medium ??? None Partial None
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.
48 CVE-2019-0269 79 XSS 2019-03-12 2019-03-13
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
49 CVE-2019-0262 79 XSS 2019-02-15 2019-02-19
3.5
None Remote Medium ??? None Partial None
SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability.
50 CVE-2019-0254 79 XSS 2019-02-15 2019-02-20
3.5
None Remote Medium ??? None Partial None
SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Total number of vulnerabilities : 67   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.