SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories.
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account.
Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on confidentiality with no impact on integrity and availability of the application.
The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854.
SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure.
Under certain conditions the PI Integration Builder Web UI of SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50 and SAP_XIPCK 7.10 to 7.11, 7.20, 7.30) allows an attacker to access passwords used in FTP channels leading to information disclosure.
Under certain conditions SAP HANA Extended Application Services, version 1.0, advanced model (XS advanced) writes credentials of platform users to a trace file of the SAP HANA system. Even though this trace file is protected from unauthorized access, the risk of leaking information is increased.
In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout.
The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker.
SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure.
Under certain conditions SAP Landscape Management (VCM 3.0) allows an attacker to access information which would otherwise be restricted.
Several web pages in SAP NetWeaver Process Integration (Runtime Workbench), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; can be accessed without user authentication, which might expose internal data like release information, Java package and Java object names which can be misused by the attacker.
The TRUSTED_SYSTEM_SECURITY function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to verify the existence of users and groups on systems and domains via unspecified vectors, a different vulnerability than CVE-2006-6010. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.
SAP Brazil add-on has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
SAP HANA DB 1.00.091.00.1418659308 allows remote attackers to obtain sensitive topology information via an unspecified HTTP request, aka SAP Security Note 2176128.
Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user.
Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.
A remote unauthenticated attacker, SAP HANA 1.00 and 2.00, could send specially crafted SOAP requests to the SAP Startup Service and disclose information such as the platform's hostname.
Under certain conditions SAP HANA, 1.00, 2.00, allows an unauthenticated attacker to access information which would otherwise be restricted. An attacker can misuse the authentication function of the SAP HANA server on its SQL interface and disclose 8 bytes of the server process memory. The attacker cannot influence or predict the location of the leaked memory.
In the Software Development Kit in SAP BusinessObjects BI Platform Servers, versions 4.1 and 4.2, using the specially crafted URL in a Web Browser such as Chrome the system returns an error with the path of the used application server.
SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00
Server Side Request Forgery (SSRF) vulnerability in SAP Central Management Console, BI Launchpad and Fiori BI Launchpad, 4.10, from 4.20, from 4.30, could allow a malicious user to use common techniques to determine which ports are in use on the backend server.
Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted.
Under certain conditions SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted.
A security weakness in SAP Financial Consolidation Cube Designer (BOBJ_EADES fixed in versions 8.0, 10.1) may allow an attacker to discover the password hash of an admin user.
Under certain circumstances, a specific endpoint of the Controller's API could be misused by unauthenticated users to execute SQL statements that deliver information about system configuration in SAP HANA Extended Application Services, 1.0.
Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure.
SAP NetWeaver RFC SDK allows attackers to obtain sensitive information via unspecified vectors, aka SAP Security Note 2084037.
Directory traversal vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the ~theme parameter and a ~template parameter with a filename followed by space characters, which can prevent SAP from effectively adding a .html extension to the filename.
The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters, aka SAP Security Note 2091768.
The File RepositoRy Server (FRS) CORBA listener in SAP BussinessObjects Edge 4.0 allows remote attackers to read arbitrary files via a full pathname, aka SAP Note 2018682.
Directory traversal vulnerability in SAP Environment, Health, and Safety allows remote attackers to read arbitrary files via unspecified vectors.
The SAP Business Intelligence Development Workbench allows remote attackers to obtain sensitive information by reading unspecified files.
Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5.3.0.1 and earlier.
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request.
SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public.
SAP NetWeaver 7.20 and earlier allows remote attackers to read arbitrary SAP Central User Administration (SAP CUA) tables via unspecified vectors.
SAP Web Services Tool (CA-WUI-WST) has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
The SAP Upgrade tools for ABAP has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
The SAP Trader's and Scheduler's Workbench (TSW) for SAP Oil & Gas has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
The Java Server Pages in the Software Lifecycle Manager (SLM) in SAP NetWeaver allows remote attackers to obtain sensitive information via a crafted request, related to SAP Solution Manager 7.1.
SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media.
The HANA ICM process in SAP HANA allows remote attackers to obtain the platform version, host name, instance number, and possibly other sensitive information via a malformed HTTP GET request.
Under certain conditions the backup server in SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted.
The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6.*, is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side implementation of OCC.
Unspecified vulnerability in the Portal WebDynPro in SAP NetWeaver allows remote attackers to obtain sensitive path information via unknown attack vectors.
Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue.
Unspecified vulnerability in SAP Mobile Infrastructure allows remote attackers to obtain sensitive port information via unknown vectors, related to an "internal port scanning" issue.