Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2015-2282

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-02 Jun, 2015 | 14:00
Updated At-06 Aug, 2024 | 05:10
Rejected At-
Credits

Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:02 Jun, 2015 | 14:00
Updated At:06 Aug, 2024 | 05:10
Rejected At:
▼CVE Numbering Authority (CNA)

Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://seclists.org/fulldisclosure/2015/May/50
mailing-list
x_refsource_FULLDISC
http://www.securityfocus.com/bid/74643
vdb-entry
x_refsource_BID
http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html
x_refsource_MISC
http://www.securityfocus.com/archive/1/535535/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
http://seclists.org/fulldisclosure/2015/May/96
mailing-list
x_refsource_FULLDISC
http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities
x_refsource_MISC
Hyperlink: http://seclists.org/fulldisclosure/2015/May/50
Resource:
mailing-list
x_refsource_FULLDISC
Hyperlink: http://www.securityfocus.com/bid/74643
Resource:
vdb-entry
x_refsource_BID
Hyperlink: http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html
Resource:
x_refsource_MISC
Hyperlink: http://www.securityfocus.com/archive/1/535535/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://seclists.org/fulldisclosure/2015/May/96
Resource:
mailing-list
x_refsource_FULLDISC
Hyperlink: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://seclists.org/fulldisclosure/2015/May/50
mailing-list
x_refsource_FULLDISC
x_transferred
http://www.securityfocus.com/bid/74643
vdb-entry
x_refsource_BID
x_transferred
http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html
x_refsource_MISC
x_transferred
http://www.securityfocus.com/archive/1/535535/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
x_transferred
http://seclists.org/fulldisclosure/2015/May/96
mailing-list
x_refsource_FULLDISC
x_transferred
http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities
x_refsource_MISC
x_transferred
Hyperlink: http://seclists.org/fulldisclosure/2015/May/50
Resource:
mailing-list
x_refsource_FULLDISC
x_transferred
Hyperlink: http://www.securityfocus.com/bid/74643
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.securityfocus.com/archive/1/535535/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://seclists.org/fulldisclosure/2015/May/96
Resource:
mailing-list
x_refsource_FULLDISC
x_transferred
Hyperlink: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:02 Jun, 2015 | 14:59
Updated At:12 Apr, 2025 | 10:46

Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
SAP SE
sap
>>gui>>-
cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*
SAP SE
sap
>>maxdb>>7.5
cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*
SAP SE
sap
>>maxdb>>7.6
cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_abap_application_server>>-
cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_java_application_server>>-
cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_rfc_sdk>>-
cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*
SAP SE
sap
>>rfc_library>>*
cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-119Primarynvd@nist.gov
CWE ID: CWE-119
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.htmlcve@mitre.org
Exploit
http://seclists.org/fulldisclosure/2015/May/50cve@mitre.org
Exploit
http://seclists.org/fulldisclosure/2015/May/96cve@mitre.org
Exploit
http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilitiescve@mitre.org
Exploit
http://www.securityfocus.com/archive/1/535535/100/0/threadedcve@mitre.org
N/A
http://www.securityfocus.com/bid/74643cve@mitre.org
N/A
http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.htmlaf854a3a-2127-422b-91ae-364da2661108
Exploit
http://seclists.org/fulldisclosure/2015/May/50af854a3a-2127-422b-91ae-364da2661108
Exploit
http://seclists.org/fulldisclosure/2015/May/96af854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilitiesaf854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.securityfocus.com/archive/1/535535/100/0/threadedaf854a3a-2127-422b-91ae-364da2661108
N/A
http://www.securityfocus.com/bid/74643af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://seclists.org/fulldisclosure/2015/May/50
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://seclists.org/fulldisclosure/2015/May/96
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://www.securityfocus.com/archive/1/535535/100/0/threaded
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/bid/74643
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://seclists.org/fulldisclosure/2015/May/50
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://seclists.org/fulldisclosure/2015/May/96
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://www.securityfocus.com/archive/1/535535/100/0/threaded
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.securityfocus.com/bid/74643
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1541Records found
CVE-2014-9264
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.26% / 88.36%
||
7 Day CHG~0.00%
Published-11 Dec, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary code via a crafted column alias.

Action-Not Available
Vendor-n/aSAP SE
Product-sql_anywheren/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2008-0621
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-88.16% / 99.46%
||
7 Day CHG~0.00%
Published-06 Feb, 2008 | 11:00
Updated-07 Aug, 2024 | 07:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in SAPLPD 6.28 and earlier included in SAP GUI 7.10 and SAPSprint before 1018 allows remote attackers to execute arbitrary code via long arguments to the (1) 0x01, (2) 0x02, (3) 0x03, (4) 0x04, and (5) 0x05 LPD commands.

Action-Not Available
Vendor-n/aSAP SE
Product-sapguisapsprintsaplpdn/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2015-4092
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.11% / 83.39%
||
7 Day CHG~0.00%
Published-26 May, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Security Note 2153690.

Action-Not Available
Vendor-n/aSAP SE
Product-afarian/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2016-1928
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-37.33% / 97.05%
||
7 Day CHG~0.00%
Published-20 Jan, 2016 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security Note 2241978.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2016-10311
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.07% / 88.07%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2015-7986
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-25.85% / 96.05%
||
7 Day CHG~0.00%
Published-27 Oct, 2015 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note 2197428.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2011-1517
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.37% / 84.32%
||
7 Day CHG~0.00%
Published-05 Feb, 2020 | 22:15
Updated-06 Aug, 2024 | 22:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CVE-2014-8588
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.40% / 59.73%
||
7 Day CHG~0.00%
Published-04 Nov, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.379371 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-27610
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-9||CRITICAL
EPSS-0.55% / 66.96%
||
7 Day CHG~0.00%
Published-16 Jun, 2021 | 14:45
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.

Action-Not Available
Vendor-SAP SE
Product-netweaver_abapnetweaver_application_server_abapSAP NetWeaver AS ABAP and ABAP Platform
CWE ID-CWE-287
Improper Authentication
CVE-2022-27668
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-0.96% / 75.56%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 16:57
Updated-03 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability.

Action-Not Available
Vendor-SAP SE
Product-routernetweaver_as_abapnetweaver_as_abap_krnl64ucnetweaver_as_abap_krnl64nucSAP NetWeaver and ABAP Platform
CWE ID-CWE-863
Incorrect Authorization
CVE-2016-6150
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.75% / 81.79%
||
7 Day CHG~0.00%
Published-05 Aug, 2016 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2233550.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-284
Improper Access Control
CVE-2022-22532
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-1.62% / 81.10%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver Application Server Java
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2016-6143
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.55% / 90.75%
||
7 Day CHG~0.00%
Published-13 Apr, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-284
Improper Access Control
CVE-2014-8663
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.91%
||
7 Day CHG~0.00%
Published-06 Nov, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Data Basis (BW-WHM-DBA) in SAP NetWeaver Business Warehouse allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-netweaver_business_warehousen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2017-8914
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.3||HIGH
EPSS-0.49% / 64.70%
||
7 Day CHG~0.00%
Published-23 May, 2017 | 03:56
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694.

Action-Not Available
Vendor-n/aSAP SE
Product-hana_xsn/a
CVE-2017-7691
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.59% / 68.21%
||
7 Day CHG~0.00%
Published-11 Apr, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA). The vendor response is SAP Security Note 2419592.

Action-Not Available
Vendor-n/aSAP SE
Product-trexn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-40499
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 73.77%
||
7 Day CHG~0.00%
Published-12 Oct, 2021 | 14:04
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2003-1036
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.08% / 86.22%
||
7 Day CHG~0.00%
Published-16 Mar, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple buffer overflows in the AGate component for SAP Internet Transaction Server (ITS) allow remote attackers to execute arbitrary code via long (1) ~command, (2) ~runtimemode, or (3) ~session parameters, or (4) a long HTTP Content-Type header.

Action-Not Available
Vendor-n/aSAP SE
Product-internet_transaction_servern/a
CVE-2018-2368
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-3.17% / 86.42%
||
7 Day CHG~0.00%
Published-01 Mar, 2018 | 17:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity.

Action-Not Available
Vendor-SAP SE
Product-netweaver_system_landscape_directorySAP NetWeaver System Landscape Directory, LM-Core
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2013-7364
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.68% / 70.52%
||
7 Day CHG~0.00%
Published-10 Apr, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified J2EE core service in the J2EE Engine in SAP NetWeaver does not properly restrict access, which allows remote attackers to read and write to arbitrary files via unknown vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CVE-2013-7362
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.98% / 75.77%
||
7 Day CHG~0.00%
Published-10 Apr, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified RFC function in SAP CCMS Agent allows remote attackers to execute arbitrary commands via unknown vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-ccms_agentn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2018-2404
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 50.71%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation.

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2018-2449
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-8.6||HIGH
EPSS-1.30% / 78.93%
||
7 Day CHG~0.00%
Published-14 Aug, 2018 | 16:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying.

Action-Not Available
Vendor-SAP SE
Product-supplier_relationship_management_mdm_catalogSAP Supplier Relationship Management Master Data Management Catalog
CWE ID-CWE-287
Improper Authentication
CVE-2013-5723
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.79% / 72.94%
||
7 Day CHG~0.00%
Published-11 Sep, 2013 | 14:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "ABAD0_DELETE_DERIVATION_TABLE."

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-2408
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-7.3||HIGH
EPSS-0.21% / 43.34%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.

Action-Not Available
Vendor-SAP SE
Product-businessobjectsSAP Business Objects
CWE ID-CWE-384
Session Fixation
CVE-2018-2420
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 69.97%
||
7 Day CHG~0.00%
Published-09 May, 2018 | 20:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to upload any file (including script files) without proper file format validation.

Action-Not Available
Vendor-SAP SE
Product-internet_graphics_serverSAP Internet Graphics Server (IGS)
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2018-2418
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.5||MEDIUM
EPSS-0.52% / 65.78%
||
7 Day CHG~0.00%
Published-09 May, 2018 | 20:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.

Action-Not Available
Vendor-SAP SE
Product-maxdb_odbc_driverSAP MaxDB ODBC driver
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2015-8600
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.32% / 54.50%
||
7 Day CHG~0.00%
Published-17 Dec, 2015 | 19:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown vectors, aka SAP Security Note 2227855.

Action-Not Available
Vendor-n/aSAP SE
Product-mobile_platformn/a
CVE-2015-7993
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.41% / 60.69%
||
7 Day CHG~0.00%
Published-10 Nov, 2015 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP Login," aka SAP Security Note 2197397.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-20
Improper Input Validation
CVE-2020-6302
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.4||MEDIUM
EPSS-0.40% / 59.74%
||
7 Day CHG~0.00%
Published-09 Sep, 2020 | 12:52
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-commerceSAP Commerce
CWE ID-CWE-384
Session Fixation
CVE-2007-3614
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-77.71% / 98.95%
||
7 Day CHG~0.00%
Published-06 Jul, 2007 | 19:00
Updated-07 Aug, 2024 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple stack-based buffer overflows in waHTTP.exe (aka the SAP DB Web Server) in SAP DB, possibly 7.3 through 7.5, allow remote attackers to execute arbitrary code via (1) a certain cookie value; (2) a certain additional parameter, related to sapdbwa_GetQueryString; and other unspecified vectors related to "numerous other fields."

Action-Not Available
Vendor-n/aSAP SE
Product-sap_dbn/a
CVE-2007-1915
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.78% / 89.03%
||
7 Day CHG~0.00%
Published-10 Apr, 2007 | 23:00
Updated-07 Aug, 2024 | 13:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in the RFC_START_PROGRAM function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.

Action-Not Available
Vendor-n/aMicrosoft CorporationSAP SEApple Inc.Siemens AGIBM CorporationHP Inc.Linux Kernel Organization, Inc
Product-os_400windows_serverlinux_kernelracfhp-uxtru64reliant_unixmacosrfc_libraryaixn/a
CVE-2017-9844
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.73% / 90.09%
||
7 Day CHG~0.00%
Published-12 Jul, 2017 | 16:00
Updated-02 May, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer deserializes a malicious object that may cause legitimate users accessing a service, either by crashing or flooding the service.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2006-6345
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.85% / 74.02%
||
7 Day CHG~0.00%
Published-07 Dec, 2006 | 01:00
Updated-07 Aug, 2024 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in SAP Internet Graphics Service (IGS) 6.40 Patchlevel 16 and earlier, and 7.00 Patchlevel 6 and earlier, allows remote attackers to delete arbitrary files via directory traversal sequences in an HTTP request. NOTE: This information is based upon an initial disclosure. Details will be updated after the grace period has ended. This issue is different from CVE-2006-4133 and CVE-2006-4134.

Action-Not Available
Vendor-n/aSAP SE
Product-internet_graphics_servern/a
CVE-2006-4133
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-24.82% / 95.93%
||
7 Day CHG~0.00%
Published-14 Aug, 2006 | 23:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Heap-based buffer overflow in SAP Internet Graphics Service (IGS) 6.40 and earlier, and 7.00 and earlier, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via an HTTP request with an ADM:GETLOGFILE command and a long portwatcher argument, which triggers the overflow during error message construction when the _snprintf function returns a negative value that is used in a memcpy operation.

Action-Not Available
Vendor-n/aSAP SE
Product-internet_graphics_servern/a
CVE-2014-2752
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.52% / 65.82%
||
7 Day CHG~0.00%
Published-10 Apr, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Object Processing Framework (BOPF) for ABAP has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-business_object_processing_framework_for_abapn/a
CVE-2005-4815
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.31% / 84.14%
||
7 Day CHG~0.00%
Published-21 Nov, 2006 | 23:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP 6.4 before 6.40 patch 4, 6.2 before 6.20 patch 1364, 4.6 before 4.6D patch 1767, 45 before 45B patch 913, 40 before 40B patch 1008, and 31 before 31I patch 735 do not properly restrict process execution by lnaxdm/sapsys, which allows remote attackers to execute arbitrary code via a certain UDP packet that ends with the name of a local executable file, aka the "FX SAP R/3 gwrd vuln."

Action-Not Available
Vendor-n/aSAP SE
Product-sap_r_3n/a
CVE-2017-6950
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.18% / 77.84%
||
7 Day CHG~0.00%
Published-23 Mar, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616.

Action-Not Available
Vendor-n/aSAP SE
Product-gui_for_windowsn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-38162
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-8.9||HIGH
EPSS-0.83% / 73.58%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 11:15
Updated-04 Aug, 2024 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify any information on the server or consume server resources making it temporarily unavailable.

Action-Not Available
Vendor-SAP SE
Product-web_dispatcherSAP Web Dispatcher
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-37535
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-10||CRITICAL
EPSS-0.34% / 55.86%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 11:21
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver Application Server Java (JMS Connector Service)
CWE ID-CWE-862
Missing Authorization
CVE-2015-5067
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.58% / 80.86%
||
7 Day CHG~0.00%
Published-24 Jun, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Notes 2059659 and 2057982.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CVE-2015-5068
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.96% / 75.50%
||
7 Day CHG~0.00%
Published-24 Jun, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security Note 2159601.

Action-Not Available
Vendor-n/aSAP SE
Product-mobile_platformn/a
CVE-2015-4161
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.47% / 63.48%
||
7 Day CHG~0.00%
Published-02 Jun, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690.

Action-Not Available
Vendor-n/aSAP SE
Product-afarian/a
CVE-2003-0942
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.23% / 86.55%
||
7 Day CHG~0.00%
Published-21 Nov, 2003 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in Web Agent Administration service in web-tools for SAP DB before 7.4.03.30 allows remote attackers to execute arbitrary code via a long Name parameter to waadmin.wa.

Action-Not Available
Vendor-n/aSAP SE
Product-sap_dbn/a
CVE-2003-1035
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.36% / 57.56%
||
7 Day CHG~0.00%
Published-16 Mar, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does.

Action-Not Available
Vendor-n/aSAP SE
Product-sapguisap_r_3n/a
CVE-2003-1037
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.92% / 82.60%
||
7 Day CHG~0.00%
Published-16 Mar, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Format string vulnerability in the WGate component for SAP Internet Transaction Server (ITS) allows remote attackers to execute arbitrary code via a high "trace level."

Action-Not Available
Vendor-n/aSAP SE
Product-internet_transaction_servern/a
CVE-2003-0943
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.90% / 74.70%
||
7 Day CHG~0.00%
Published-21 Nov, 2003 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

web-tools in SAP DB before 7.4.03.30 installs several services that are enabled by default, which could allow remote attackers to obtain potentially sensitive information or redirect attacks against internal databases via (1) waecho, (2) Web SQL Interface (websql), or (3) Web Database Manager (webdbm).

Action-Not Available
Vendor-n/aSAP SE
Product-sap_dbn/a
CVE-2017-16684
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.28%
||
7 Day CHG~0.00%
Published-12 Dec, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity.

Action-Not Available
Vendor-SAP SE
Product-business_intelligence_promotion_management_applicationSAP Business Intelligence Promotion Management Application
CWE ID-CWE-287
Improper Authentication
CVE-2017-11459
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.12% / 83.44%
||
7 Day CHG~0.00%
Published-25 Jul, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592.

Action-Not Available
Vendor-n/aSAP SE
Product-trexn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2015-4159
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.27%
||
7 Day CHG~0.00%
Published-02 Jun, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes 2153892.

Action-Not Available
Vendor-n/aSAP SE
Product-hana_web-based_development_workbenchn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 30
  • 31
  • Next
Details not found