Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-0244

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-08 Jan, 2019 | 20:00
Updated At-04 Aug, 2024 | 17:44
Rejected At-
Credits

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:08 Jan, 2019 | 20:00
Updated At:04 Aug, 2024 | 17:44
Rejected At:
▼CVE Numbering Authority (CNA)

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Affected Products
Vendor
SAP SESAP SE
Product
SAP CRM WebClient UI (SAPSCORE)
Versions
Affected
  • < 1.12
Vendor
SAP SESAP SE
Product
SAP CRM WebClient UI (S4FND)
Versions
Affected
  • < 1.02
Vendor
SAP SESAP SE
Product
SAP CRM WebClient UI (WEBCUIF)
Versions
Affected
  • < 7.31
  • < 7.46
  • < 7.47
  • < 7.48
  • < 8.0
  • < 8.01
Problem Types
TypeCWE IDDescription
textN/ACross-Site Scripting
Type: text
CWE ID: N/A
Description: Cross-Site Scripting
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://launchpad.support.sap.com/#/notes/2588763
x_refsource_MISC
http://www.securityfocus.com/bid/106473
vdb-entry
x_refsource_BID
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985
x_refsource_MISC
Hyperlink: https://launchpad.support.sap.com/#/notes/2588763
Resource:
x_refsource_MISC
Hyperlink: http://www.securityfocus.com/bid/106473
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://launchpad.support.sap.com/#/notes/2588763
x_refsource_MISC
x_transferred
http://www.securityfocus.com/bid/106473
vdb-entry
x_refsource_BID
x_transferred
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985
x_refsource_MISC
x_transferred
Hyperlink: https://launchpad.support.sap.com/#/notes/2588763
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.securityfocus.com/bid/106473
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:08 Jan, 2019 | 20:29
Updated At:17 Jan, 2019 | 15:21

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
SAP SE
sap
>>customer_relationship_management_webclient_ui>>7.31
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*
SAP SE
sap
>>customer_relationship_management_webclient_ui>>7.46
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*
SAP SE
sap
>>customer_relationship_management_webclient_ui>>7.47
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*
SAP SE
sap
>>customer_relationship_management_webclient_ui>>7.48
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*
SAP SE
sap
>>customer_relationship_management_webclient_ui>>8.00
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*
SAP SE
sap
>>customer_relationship_management_webclient_ui>>8.01
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*
SAP SE
sap
>>s4fnd>>1.02
cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*
SAP SE
sap
>>sapscore>>1.12
cpe:2.3:a:sap:sapscore:1.12:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.securityfocus.com/bid/106473cna@sap.com
Third Party Advisory
VDB Entry
https://launchpad.support.sap.com/#/notes/2588763cna@sap.com
Permissions Required
Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985cna@sap.com
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/106473
Source: cna@sap.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://launchpad.support.sap.com/#/notes/2588763
Source: cna@sap.com
Resource:
Permissions Required
Vendor Advisory
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985
Source: cna@sap.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

6567Records found
CVE-2019-0262
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.40%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_bi_platformSAP WebIntelligence BILaunchPad (Enterprise)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0245
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.30%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI (SAPSCORE)SAP CRM WebClient UI (S4FND)SAP CRM WebClient UI (WEBCUIF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0334
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.49%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 13:48
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking. The attacker could also access other sensitive information, leading to Stored Cross Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence Platform (BI Workspace)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0368
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 52.20%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:17
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-customer_relationship_management_bbpcrmcustomer_relationship_management_s4crmSAP Customer Relationship Management (Email Management - BBPCRM)SAP Customer Relationship Management (Email Management - S4CRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0385
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 52.66%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 21:57
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-enable_nowSAP Enable Now
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0374
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.39% / 59.93%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:21
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2405
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 37.65%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSAP Solution Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2410
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 51.51%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-business_oneSAP Business One
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6266
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.04%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 12:51
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection.

Action-Not Available
Vendor-SAP SE
Product-fioriSAP Fiori for SAP S/4HANA
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-26828
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.91%
||
7 Day CHG~0.00%
Published-09 Dec, 2020 | 16:30
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheet

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management.
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2021-21445
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-12 Jan, 2021 | 14:42
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking.

Action-Not Available
Vendor-SAP SE
Product-commerce_cloudSAP Commerce Cloud
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2014-5172
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 67.34%
||
7 Day CHG~0.00%
Published-31 Jul, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the XS Administration Tools in SAP HANA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23192
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-8.2||HIGH
EPSS-0.36% / 58.17%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 00:10
Updated-23 Oct, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)

SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence (BI Workspace)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6281
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.25%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 12:30
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (BI Launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-3134
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.89%
||
7 Day CHG~0.00%
Published-30 Apr, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-businessobjectsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1964
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.89%
||
7 Day CHG~0.00%
Published-14 Feb, 2014 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to the ESR application and a DIR error.

Action-Not Available
Vendor-n/aSAP SE
Product-netweaver_exchange_infrastructure_\(bc-xi\)netweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1965
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.89%
||
7 Day CHG~0.00%
Published-14 Feb, 2014 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in ISpeakAdapter in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component 3.0, 7.00 through 7.02, and 7.10 through 7.11 for SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to PIP.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6367
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-8.2||HIGH
EPSS-1.25% / 79.50%
||
7 Day CHG~0.00%
Published-20 Oct, 2020 | 13:32
Updated-04 Aug, 2024 | 09:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end users browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified.

Action-Not Available
Vendor-SAP SE
Product-netweaver_composite_application_frameworkSAP NetWeaver Composite Application Framework
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-49577
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 28.57%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 01:04
Updated-02 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution)

The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-human_capital_managementSAP HCM (SMART PAYE solution)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6205
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.51% / 66.46%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:20
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content and/or steal authentication information of the user and/or impersonate the user and access all information with the same rights as the target user, leading to Reflected Cross Site Scripting Vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesSAP NetWeaver Application Server ABAP (Smart Forms) - SAP_BASIS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6220
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-4.4||MEDIUM
EPSS-0.15% / 35.06%
||
7 Day CHG~0.00%
Published-06 Jun, 2022 | 19:45
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BI Launchpad and CMC in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Exploit is possible only when the bttoken in victim’s session is active.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformSAP Business Objects Business Intelligence Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6193
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 62.20%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 19:45
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_knowledge_managementSAP NetWeaver (Knowledge Management ICE Service)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6216
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.54%
||
7 Day CHG~0.00%
Published-14 Apr, 2020 | 18:07
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (BI Launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6213
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 40.65%
||
7 Day CHG~0.00%
Published-24 Apr, 2020 | 22:17
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_PHTMLB, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, is vulnerable to reflected Cross-Site Scripting (XSS) via different URL parameters as it does not sufficiently encode user controlled inputs.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesSAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_PHTMLB)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2364
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 54.50%
||
7 Day CHG~0.00%
Published-14 Feb, 2018 | 12:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndcustomer_relationship_management_webclient_uiSAP CRM WebClient UIS4FND
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6305
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 51.33%
||
7 Day CHG~0.00%
Published-14 Jan, 2020 | 17:52
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PI Rest Adapter of SAP Process Integration (update provided in SAP_XIAF 7.31, 7.40, 7.50) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-process_integrationSAP Process Integration - Rest Adapter (SAP_XIAF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2504
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 23:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS Java (ServerCore)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2452
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.57% / 68.67%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS Java
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6816
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 58.57%
||
7 Day CHG~0.00%
Published-19 Nov, 2013 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the (1) JavaDumpService and (2) DataCollector servlets in SAP NetWeaver allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2371
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 54.50%
||
7 Day CHG~0.00%
Published-14 Feb, 2018 | 12:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_java_web_applicationSAP NetWeaver Java Web Application
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2399
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 41.69%
||
7 Day CHG~0.00%
Published-14 Mar, 2018 | 19:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Scripting in Process Monitoring Infrastructure, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to inefficient encoding of user controlled inputs.

Action-Not Available
Vendor-SAP SE
Product-process_monitoring_infrastructureSAP Process Monitoring Infrastructure
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2470
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 61.89%
||
7 Day CHG~0.00%
Published-09 Oct, 2018 | 13:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaverSAP NetWeaver Application Server for ABAP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2365
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 54.50%
||
7 Day CHG~0.00%
Published-01 Mar, 2018 | 17:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_portalSAP NetWeaver Portal WebDynpro RunTime
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2472
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 61.89%
||
7 Day CHG~0.00%
Published-09 Oct, 2018 | 13:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_bi_platformSAP BusinessObjects Business Intelligence Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2464
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 61.89%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaverSAP WebDynpro
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6201
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 58.98%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:19
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-commerce_cloudSAP Commerce Cloud (Testweb Extension)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2479
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-13 Nov, 2018 | 20:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_bi_platformSAP BusinessObjects Business Intelligence Platform (BIWorkspace)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2431
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 61.89%
||
7 Day CHG~0.00%
Published-10 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6229
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.54%
||
7 Day CHG~0.00%
Published-14 Apr, 2020 | 18:20
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesSAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6324
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.90% / 75.85%
||
7 Day CHG~0.00%
Published-09 Sep, 2020 | 13:10
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Netweaver AS ABAP(BSP Test Application sbspext_table), version-700,701,720,730,731,740,750,751,752,753,754,755, allows an unauthenticated attacker to send polluted URL to the victim, when the victim clicks on this URL, the attacker can read, modify the information available in the victim�s browser leading to Reflected Cross Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesSAP NetWeaver AS ABAP (BSP Test Application)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6246
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.27% / 50.71%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 12:34
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_TABLE, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesSAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6276
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.25%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 12:30
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (bipodata), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (bipodata)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6210
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-4.7||MEDIUM
EPSS-0.42% / 62.08%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:21
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode user-controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, leading to reflected Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-fiori_launchpadSAP Fiori Launchpad
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6284
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-9||CRITICAL
EPSS-0.89% / 75.70%
||
7 Day CHG~0.00%
Published-12 Aug, 2020 | 13:21
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges. If the accessing user has administrative privileges, then the execution of the script content could result in complete compromise of system confidentiality, integrity and availability, leading to Stored Cross Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-netweaver_knowledge_managementSAP NetWeaver (Knowledge Management)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42478
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.30%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 00:58
Updated-02 Aug, 2024 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform

SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformBusiness Objects BI Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42479
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 35.06%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 00:59
Updated-26 Nov, 2024 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP Biller Direct

An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information.

Action-Not Available
Vendor-SAP SE
Product-biller_directSAP Biller Direct
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17865
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.62%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 18:30
Updated-05 Aug, 2024 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in SAP J2EE Engine 7.01 allows remote attackers to inject arbitrary web script via the wsdlPath parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Action-Not Available
Vendor-n/aSAP SE
Product-j2ee_enginen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17862
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 64.58%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 18:30
Updated-05 Aug, 2024 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Fiori allows remote attackers to inject arbitrary web script via the sys_jdbc parameter to /TestJDBC_Web/test2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Action-Not Available
Vendor-n/aSAP SE
Product-j2ee_enginen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40624
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 28.87%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 02:00
Updated-25 Sep, 2024 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)

SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver AS ABAP (applications based on Unified Rendering)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-5263
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 64.97%
||
7 Day CHG~0.00%
Published-12 Feb, 2013 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in RetrieveMailExamples in SAP NetWeaver 7.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the server parameter.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 131
  • 132
  • Next
Details not found