2024

2023

2022

2021

2020

CVE-2020-6314 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated HPGL file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6321 (v3: 6.5) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated U3D file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6322 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated 3DM file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6327 (v3: 4.3) 9 Sep 2020

CVE-2020-6328 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated CGM file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6329 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SKP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6330 (v3: 4.3) 9 Sep 2020

CVE-2020-6331 (v3: 4.3) 9 Sep 2020

CVE-2020-6332 (v3: 4.3) 9 Sep 2020

CVE-2020-6333 (v3: 4.3) 9 Sep 2020

CVE-2020-6334 (v3: 4.3) 9 Sep 2020

CVE-2020-6335 (v3: 4.3) 9 Sep 2020

CVE-2020-6336 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6337 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated HDR file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6338 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RH file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6339 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated BMP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6340 (v3: 4.3) 9 Sep 2020

CVE-2020-6341 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated EPS file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6342 (v3: 4.3) 9 Sep 2020

CVE-2020-6343 (v3: 4.3) 9 Sep 2020

CVE-2020-6344 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PDF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6345 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated TGA file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6346 (v3: 4.3) 9 Sep 2020

CVE-2020-6347 (v3: 4.3) 9 Sep 2020

CVE-2020-6348 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6349 (v3: 4.3) 9 Sep 2020

CVE-2020-6350 (v3: 4.3) 9 Sep 2020

CVE-2020-6351 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated FBX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6352 (v3: 4.3) 9 Sep 2020

CVE-2020-6353 (v3: 4.3) 9 Sep 2020

CVE-2020-6354 (v3: 4.3) 9 Sep 2020

CVE-2020-6355 (v3: 4.3) 9 Sep 2020

CVE-2020-6356 (v3: 4.3) 9 Sep 2020

CVE-2020-6357 (v3: 4.3) 9 Sep 2020

CVE-2020-6358 (v3: 4.3) 9 Sep 2020

CVE-2020-6359 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PLT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6360 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6361 (v3: 4.3) 9 Sep 2020

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE files received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVE-2020-6240 (v3: 7.5) 12 May 2020

SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service

CVE-2020-6247 (v3: 7.5) 12 May 2020

SAP Business Objects Business Intelligence Platform, version 4.2, allows an unauthenticated attacker to prevent legitimate users from accessing a service. Using a specially crafted request, the attacker can crash or flood the Central Management Server, thereby impacting system availability.

CVE-2020-6248 (v3: 7.2) 12 May 2020

SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection.

CVE-2020-6227 (v3: 7.5) 14 Apr 2020

SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files.

CVE-2020-6238 (v3: 9.3) 14 Apr 2020

SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.

CVE-2020-6177 (v3: 4.3) 12 Feb 2020

SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Since SAP Mobile Platform does not allow External-Entity resolving, there is no issue of leaking content of files on the server.

CVE-2020-6191 (v3: 7.2) 12 Feb 2020

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing Input Validation.

CVE-2020-6192 (v3: 7.2) 12 Feb 2020

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management.

CVE-2020-6304 (v3: 7.5) 14 Jan 2020

Improper input validation in SAP NetWeaver Internet Communication Manager (update provided in KRNL32NUC & KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT KRNL64NUC & KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49 KERNEL 7.21, 7.49, 7.53) allows an attacker to prevent users from accessing its services through a denial of service.

2019

CVE-2019-0403 (v3: 9.8) 11 Dec 2019

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection.

CVE-2019-0396 (v3: 7.1) 13 Nov 2019

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), corrected in versions 4.1 and 4.2, does not sufficiently validate an XML document accepted from an untrusted source. An attacker can craft a message that contains malicious elements that will not be correctly filtered by Web Intelligence HTML interface in some specific workflows.

CVE-2019-0350 (v3: 7.5) 4 Nov 2019

SAP HANA Database, versions 1.0, 2.0, allows an unauthorized attacker to send a malformed connection request, which crashes the indexserver of an SAP HANA instance, leading to Denial of Service

CVE-2019-0363 (v3: 7.1) 10 Sep 2019

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network ports.

CVE-2019-0364 (v3: 4.3) 10 Sep 2019

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open ports.

CVE-2019-0340 (v3: 5.4) 14 Aug 2019

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files.

CVE-2019-0341 (v3: 8.8) 14 Aug 2019

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. If an attacker runs script code in the context of the application, he could get access to the session cookie. The session cookie could then be abused to gain access to the application.

CVE-2019-3571 (v3: 5.3) 16 Jul 2019

An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.

CVE-2019-0255 (v3: 8.1) 15 Feb 2019

SAP NetWeaver AS ABAP Platform, Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75, fails to validate type of installation for an ABAP Server system correctly. That behavior may lead to situation, where business user achieves access to the full SAP Menu, that is 'Easy Access Menu'. The situation can be misused by any user to leverage privileges to business functionality.

CVE-2019-0240 (v3: 7.5) 8 Jan 2019

SAP Business Objects Mobile for Android (before 6.3.5) application allows an attacker to provide malicious input in the form of a SAP BI link, preventing legitimate users from accessing the application by crashing it.

2018

CVE-2018-2492 (v3: 7.1) 11 Dec 2018

SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.

CVE-2018-2497 (v3: 2.7) 11 Dec 2018

The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE AS SELECT.

CVE-2018-2478 (v3: 7.2) 13 Nov 2018

An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the adm user. The commands executed depend upon the privileges of the adm user.

CVE-2018-2483 (v3: 4.3) 13 Nov 2018

HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method.

CVE-2018-2488 (v3: 7.8) 13 Nov 2018

It is possible for a malware application installed on an Android device to send local push notifications with an empty message to SAP Fiori Client and cause the application to crash. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.

CVE-2018-2462 (v3: 8.8) 11 Sep 2018

In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31. 7.40, 7.41, 7.50, does not sufficiently validate an XML document accepted from an untrusted source.

CVE-2018-2465 (v3: 7.5) 11 Sep 2018

SAP HANA (versions 1.0 and 2.0) Extended Application Services classic model OData parser does not sufficiently validate XML. By exploiting, an unauthorized hacker can cause the database server to crash.

CVE-2018-2441 (v3: 5.5) 14 Aug 2018

Under certain conditions the SAP Change and Transport System (ABAP), SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53 and 7.73, allows an attacker to transport information which would otherwise be restricted.

CVE-2018-2439 (v3: 5.9) 10 Jul 2018

The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, has insufficient request validation (for example, where the request is validated for authenticity and validity) and under certain conditions, will process invalid requests. Several areas of the SAP Internet Graphics Server (IGS) did not require sufficient input validation. Namely, the SAP Internet Graphics Server (IGS) HTTP and RFC listener, SAP Internet Graphics Server (IGS) portwatcher when registering a portwatcher to the multiplexer and the SAP Internet Graphics Server (IGS) multiplexer had insufficient input validation and thus allowing a malformed data packet to cause a crash.

CVE-2018-2424 (v3: 7.5) 12 Jun 2018

SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00

CVE-2018-2416 (v3: 5.4) 9 May 2018

SAP Identity Management 7.2 and 8.0 do not sufficiently validate an XML document accepted from an untrusted source.

CVE-2018-2389 (v3: 5.7) 14 Feb 2018

Under certain conditions a malicious user can inject log files of SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, hiding important information in the log file.

CVE-2018-2395 (v3: 8.8) 14 Feb 2018

Under certain conditions a malicious user may retrieve information on SAP Internet Graphic Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, overwrite existing image or corrupt other type of files.

2017

CVE-2017-16691 (v3: 6.5) 12 Dec 2017

SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted.

CVE-2017-14511 (v3: 7.5) 17 Sep 2017

An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through 617. When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers can register and confirm email addresses that they do not have access to (candidate_hrobject is predictable and corr_act_guid is improperly validated). Furthermore, since an email address can be registered only once, an attacker could prevent other legitimate users from registering. This is SAP Security Note 2507798.

2016

CVE-2016-10079 (v3: 7.5) 1 Feb 2017

SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515.

CVE-2016-6148 (v3: 7.5) 5 Aug 2016

SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a denial of service (process termination) or execute arbitrary code via vectors related to an IMPORT statement, aka SAP Security Note 2233136.

CVE-2016-3979 (v3: 7.5) 8 Apr 2016

Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP request, related to the IctParseCookies function, aka SAP Security Note 2256185.

CVE-2016-3980 (v3: 7.5) 8 Apr 2016

The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547.

CVE-2016-1929 (v3: 9.3) 20 Jan 2016

The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of service (disk consumption and process crash) via a crafted HTTP request, related to an unspecified debug function, aka SAP Security Note 2241978.

2015

CVE-2015-7828 (v2: 10) 10 Nov 2015

SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583.

CVE-2015-7993 (v2: 7.5) 10 Nov 2015

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP Login," aka SAP Security Note 2197397.

CVE-2015-7994 (v2: 7.5) 10 Nov 2015

The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "SQL Login," aka SAP Security Note 2197428.

CVE-2015-3621 (v2: 9.3) 16 Jul 2015

Untrusted search path vulnerability in SAP Enterprise Central Component (ECC) allows local users to gain privileges via a Trojan horse program.

CVE-2015-3994 (v2: 4) 29 May 2015

The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request, aka SAP Security Note 2109818.

CVE-2015-2819 (v2: 5) 1 Apr 2015

SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a denial of service (crash) via a crafted request, aka SAP Security Note 2108161.

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Threat Intelligence

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015