Filtered by vendor Sap Se
Subscriptions
Total
41 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23688 | 2 Sap, Sap Se | 2 S4core, Sap Fiori App (manage Service Entry Sheets - Lean Services) | 2026-02-17 | 4.3 Medium |
| SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted. | ||||
| CVE-2026-24320 | 2 Sap, Sap Se | 4 Netweaver As Abap Kernel, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc and 1 more | 2026-02-17 | 3.1 Low |
| Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability. | ||||
| CVE-2026-24322 | 2 Sap, Sap Se | 2 Solution Tools Plug-in, Sap Solution Tools Plug-in (st-pi) | 2026-02-17 | 7.7 High |
| SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability. | ||||
| CVE-2026-24323 | 2 Sap, Sap Se | 4 Document Management System, Erp, S4core and 1 more | 2026-02-17 | 6.1 Medium |
| The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application. | ||||
| CVE-2026-24324 | 2 Sap, Sap Se | 2 Businessobjects Business Intelligence Platform, Sap Business Objects Business Intelligence Platform | 2026-02-17 | 6.5 Medium |
| SAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management Server (CMS) to crash, rendering the CMS partially or completely unavailable and resulting in the denial of service of the Content Management Server (CMS). Successful exploitation impacts system availability, while confidentiality and integrity remain unaffected. | ||||
| CVE-2026-24325 | 2 Sap, Sap Se | 2 Businessobjects Enterprise, Sap Businessobjects Enterprise (central Management Console) | 2026-02-17 | 4.8 Medium |
| SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application. | ||||
| CVE-2026-24326 | 2 Sap, Sap Se | 2 S\/4hana Defense \& Security, Sap S/4hana Defense & Security (disconnected Operations) | 2026-02-17 | 4.3 Medium |
| Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application. | ||||
| CVE-2026-24327 | 2 Sap, Sap Se | 2 Strategic Enterprise Management, Sap Strategic Enterprise Management (balanced Scorecard In Bsp Application) | 2026-02-17 | 4.3 Medium |
| Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availability. | ||||
| CVE-2026-24328 | 2 Sap, Sap Se | 2 Business Server Pages, Business Server Pages Application (taf Applauncher) | 2026-02-17 | 6.1 Medium |
| SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application. | ||||
| CVE-2025-42873 | 2 Sap, Sap Se | 2 Sapui5, Sapui5 | 2025-12-09 | 5.9 Medium |
| SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability. | ||||
| CVE-2025-0061 | 2 Sap, Sap Se | 2 Businessobjects Business Intelligence Platform, Sap Business Objects Business Intgelligence Platform | 2025-10-24 | 8.7 High |
| SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application. | ||||
| CVE-2024-33004 | 2 Sap, Sap Se | 2 Businessobjects Business Intelligence Platform, Sap Business Objects Business Intgelligence Platform | 2025-10-23 | 4.3 Medium |
| SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | ||||
| CVE-2025-42907 | 2 Sap, Sap Se | 2 Businessobjects Bi Platform, Sap Business Objects Business Intgelligence Platform | 2025-10-14 | 4.3 Medium |
| SAP BI Platform allows an attacker to modify the IP address of the LogonToken for the OpenDoc. On accessing the modified link in the browser a different server could get the ping request. This has low impact on integrity with no impact on confidentiality and availability of the system. | ||||
| CVE-2024-39592 | 2 Sap, Sap Se | 3 S4core, S4coreop, Sap Pdce | 2024-11-21 | 7.7 High |
| Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application. | ||||
| CVE-2024-33007 | 1 Sap Se | 1 Sapui5 | 2024-11-21 | 3.5 Low |
| PDFViewer is a control delivered as part of SAPUI5 product which shows the PDF content in an embedded mode by default. If a PDF document contains embedded JavaScript (or any harmful client-side script), the PDFViewer will execute the JavaScript embedded in the PDF which can cause a potential security threat. | ||||
| CVE-2024-28167 | 1 Sap Se | 1 Sap Group Reporting Data Collection | 2024-11-21 | 6.5 Medium |
| SAP Group Reporting Data Collection does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, specific data can be changed via the Enter Package Data app although the user does not have sufficient authorization causing high impact on Integrity of the appliction. | ||||
| CVE-2024-45277 | 2 Sap, Sap Se | 2 Hana-client, Sap Hana Client | 2024-11-14 | 4.3 Medium |
| The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity. | ||||
| CVE-2024-45278 | 2 Sap, Sap Se | 2 Commerce Backoffice, Sap Commerce Backoffice | 2024-11-14 | 5.4 Medium |
| SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | ||||
| CVE-2024-47593 | 1 Sap Se | 1 Sap Netweaver And Abap Platform | 2024-11-12 | 4.3 Medium |
| SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application's integrity or availability. | ||||
| CVE-2024-42374 | 2 Sap, Sap Se | 2 Bex Web Java Runtime Export Web Service, Bex Web Java Runtime Export Web Service | 2024-09-16 | 8.2 High |
| BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application. | ||||