SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories.
The File RepositoRy Server (FRS) CORBA listener in SAP BussinessObjects Edge 4.0 allows remote attackers to read arbitrary files via a full pathname, aka SAP Note 2018682.
Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5.3.0.1 and earlier.
Directory traversal vulnerability in SAP Environment, Health, and Safety allows remote attackers to read arbitrary files via unspecified vectors.
SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality.
Directory traversal vulnerability in the Exportability Check Service in SAP NetWeaver allows remote attackers to read arbitrary files via unspecified vectors.
Directory traversal vulnerability in SAP NetWeaver 7.x allows remote attackers to read arbitrary files via unspecified vectors.
Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs. Due to this Directory Traversal vulnerability the attacker could read content of arbitrary files on the remote server and expose sensitive data.
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters, aka SAP Security Note 2091768.
The Auditing service in SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information by reading an audit event, aka SAP Note 2011395.
Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.
Due to improper input sanitization, specially crafted LDAP queries can be injected by an unauthenticated user. This could partially impact the confidentiality of the application.
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.
The User & Server configuration, InfoView refresh, user rights (BI-BIP-ADM) component in SAP Business Intellignece allows remote attackers to obtain audit event details via unspecified vectors.
The SAP Business Intelligence Development Workbench allows remote attackers to obtain sensitive information by reading unspecified files.
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter.
Unspecified vulnerability in the MessagingSystem servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the MessagingSystem Performance Data via unspecified vectors.
In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker must already know the e-mail that they wish to test for. The impact on confidentiality therefore is low and no impact to integrity or availability
SAP Capacity Leveling has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application.
SAP NetWeaver 7.20 and earlier allows remote attackers to read arbitrary SAP Central User Administration (SAP CUA) tables via unspecified vectors.
SAP CCMS Monitoring (BC-CCM-MON) has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
SAP Brazil add-on has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
The (1) Structures and (2) Project-Oriented Procurement components in SAP Project System has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigger TCP connections to arbitrary intranet hosts on any port, and obtain potentially sensitive information about open ports, via the apstoken parameter to the CrystalReports/viewrpt.cwr URI, related to an "internal port scanning" issue.
SAP Transaction Data Pool has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
The SAP Trader's and Scheduler's Workbench (TSW) for SAP Oil & Gas has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00
Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure.
Under certain conditions SAP Business Client 6.5 allows an attacker to access information which would otherwise be restricted.
Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user.
Under certain conditions, the SAP Identity Management 8.0 (pass of type ToASCII) allows an attacker to access information which would otherwise be restricted.
Under certain conditions SAP UI5 Handler allows an attacker to access information which would otherwise be restricted. Software components affected are: SAP Infrastructure 1.0, SAP UI 7.4, 7.5, 7.51, 7.52 and version 2.0 of SAP UI for SAP NetWeaver 7.00.
Under certain conditions SAP HANA, 1.00, 2.00, allows an unauthenticated attacker to access information which would otherwise be restricted. An attacker can misuse the authentication function of the SAP HANA server on its SQL interface and disclose 8 bytes of the server process memory. The attacker cannot influence or predict the location of the leaked memory.
A security weakness in SAP Financial Consolidation Cube Designer (BOBJ_EADES fixed in versions 8.0, 10.1) may allow an attacker to discover the password hash of an admin user.
A remote unauthenticated attacker, SAP HANA 1.00 and 2.00, could send specially crafted SOAP requests to the SAP Startup Service and disclose information such as the platform's hostname.
Under certain conditions SAP SRM-MDM (CATALOG versions 3.0, 7.01, 7.02) utilities functionality allows an attacker to access information of user existence which would otherwise be restricted.
Under certain conditions SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted.
The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6.*, is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side implementation of OCC.
In the Software Development Kit in SAP BusinessObjects BI Platform Servers, versions 4.1 and 4.2, using the specially crafted URL in a Web Browser such as Chrome the system returns an error with the path of the used application server.
The HANA ICM process in SAP HANA allows remote attackers to obtain the platform version, host name, instance number, and possibly other sensitive information via a malformed HTTP GET request.
Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted.
Server Side Request Forgery (SSRF) vulnerability in SAP Central Management Console, BI Launchpad and Fiori BI Launchpad, 4.10, from 4.20, from 4.30, could allow a malicious user to use common techniques to determine which ports are in use on the backend server.
Under certain conditions the backup server in SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted.
Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.
Under certain circumstances, a specific endpoint of the Controller's API could be misused by unauthenticated users to execute SQL statements that deliver information about system configuration in SAP HANA Extended Application Services, 1.0.
The Java Server Pages in the Software Lifecycle Manager (SLM) in SAP NetWeaver allows remote attackers to obtain sensitive information via a crafted request, related to SAP Solution Manager 7.1.