SAP Host Agent, version 7.21, allows an attacker with admin privileges to use the operation framework to gain root privileges over the underlying operating system, leading to Privilege Escalation. Date published : 2020-04-14 http://seclists.org/fulldisclosure/2021/Apr/5...
SAP S/4 HANA (Financial Products Subledger and Banking Services), versions – FSAPPL 400, 450, 500 and S4FPSL 100, allows an authenticated user to run an analysis report due to Missing Authorization Check, resulting in...
SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media. Date published : 2020-04-14 https://launchpad.support.sap.com/#/notes/2888556 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Date published : 2020-04-14 https://launchpad.support.sap.com/#/notes/2879132 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
SAP OrientDB, version 3.0, allows an authenticated attacker with script execute/write permissions to inject code that can be executed by the application and lead to Code Injection. An attacker could thereby control the behavior...
SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting...
SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer. Date published : 2020-04-14 https://launchpad.support.sap.com/#/notes/2866752 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in...
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Date published : 2020-04-14 https://launchpad.support.sap.com/#/notes/2879132 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
SAP NetWeaver (Knowledge Management), versions (KMC-CM – 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to...
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user...
The open document of SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into...
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Date published : 2020-04-14 https://launchpad.support.sap.com/#/notes/2880804 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Date published : 2020-04-14 https://launchpad.support.sap.com/#/notes/2878507 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202