Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-6368

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-15 Oct, 2020 | 01:54
Updated At-04 Aug, 2024 | 09:02
Rejected At-
Credits

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:15 Oct, 2020 | 01:54
Updated At:04 Aug, 2024 | 09:02
Rejected At:
▼CVE Numbering Authority (CNA)

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

Affected Products
Vendor
SAP SESAP SE
Product
SAP Business Planning and Consolidation
Versions
Affected
  • < 750
  • < 751
  • < 752
  • < 753
  • < 754
  • < 755
  • < 810
  • < 100
  • < 200
Problem Types
TypeCWE IDDescription
textN/ACross Site Scripting
Type: text
CWE ID: N/A
Description: Cross Site Scripting
Metrics
VersionBase scoreBase severityVector
3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/2960825
x_refsource_MISC
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
Resource:
x_refsource_MISC
Hyperlink: https://launchpad.support.sap.com/#/notes/2960825
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
x_refsource_MISC
x_transferred
https://launchpad.support.sap.com/#/notes/2960825
x_refsource_MISC
x_transferred
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://launchpad.support.sap.com/#/notes/2960825
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:15 Oct, 2020 | 02:15
Updated At:19 Oct, 2020 | 19:50

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Secondary3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
SAP SE
sap
>>business_planning_and_consolidation>>100
cpe:2.3:a:sap:business_planning_and_consolidation:100:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>200
cpe:2.3:a:sap:business_planning_and_consolidation:200:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>750
cpe:2.3:a:sap:business_planning_and_consolidation:750:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>751
cpe:2.3:a:sap:business_planning_and_consolidation:751:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>752
cpe:2.3:a:sap:business_planning_and_consolidation:752:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>753
cpe:2.3:a:sap:business_planning_and_consolidation:753:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>754
cpe:2.3:a:sap:business_planning_and_consolidation:754:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>755
cpe:2.3:a:sap:business_planning_and_consolidation:755:*:*:*:*:*:*:*
SAP SE
sap
>>business_planning_and_consolidation>>810
cpe:2.3:a:sap:business_planning_and_consolidation:810:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://launchpad.support.sap.com/#/notes/2960825cna@sap.com
Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196cna@sap.com
Vendor Advisory
Hyperlink: https://launchpad.support.sap.com/#/notes/2960825
Source: cna@sap.com
Resource:
Permissions Required
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
Source: cna@sap.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

14130Records found
CVE-2019-0377
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.24%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:24
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the input controls, resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0395
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.42% / 61.82%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 21:34
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0382
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 52.66%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 21:59
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Privileges are required in order to exploit this vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0369
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 52.20%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:19
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-financial_consolidationSAP Financial Consolidation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0254
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.40%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0025
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 66.75%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:10
Updated-21 Mar, 2025 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSolution Manager (BSP Application)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-6857
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 35.40%
||
7 Day CHG~0.00%
Published-31 Dec, 2016 | 06:56
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.

Action-Not Available
Vendor-n/aSAP SE
Product-hybrisn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-41208
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.40% / 60.99%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 00:00
Updated-08 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to insufficient input validation, SAP Financial Consolidation - version 1010, allows an authenticated attacker with user privileges to alter current user session. On successful exploitation, the attacker can view or modify information, causing a limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-financial_consolidationSAP Financial Consolidation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-39595
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.16%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 04:13
Updated-28 Oct, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation

SAP Business Warehouse - Business Planning and Simulation application does not sufficiently encode user-controlled inputs, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows users to modify website content and on successful exploitation, an attacker can cause low impact to the confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-business_warehousebusiness_warehouse_virtual_compSAP Business Warehouse - Business Planning and Simulation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-7728
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.18% / 39.11%
||
7 Day CHG~0.00%
Published-15 Oct, 2015 | 20:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in user creation in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to inject arbitrary web script or HTML via the username, aka SAP Security Note 2153898.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-7726
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.18% / 39.11%
||
7 Day CHG~0.00%
Published-15 Oct, 2015 | 20:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in role deletion in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allows remote authenticated users to inject arbitrary web script or HTML via the role name, aka SAP Security Note 2153898.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27902
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.78% / 73.82%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 00:45
Updated-26 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)

Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abapSAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21447
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.51%
||
7 Day CHG~0.00%
Published-12 Jan, 2021 | 14:40
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33682
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.28%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 11:08
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Lumira Server version 2.4 does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with basic level privileges to store a malicious script on SAP Lumira Server. The execution of the script content, by a victim registered on SAP Lumira Server, could compromise the confidentiality and integrity of SAP Lumira content.

Action-Not Available
Vendor-SAP SE
Product-lumira_serverSAP Lumira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21489
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 46.76%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 11:15
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content.

Action-Not Available
Vendor-SAP SE
Product-netweaver_enterprise_portalSAP NetWeaver Enterprise Portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6313
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 52.93%
||
7 Day CHG~0.00%
Published-09 Sep, 2020 | 12:43
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS JAVA (XML Forms)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CVE-2020-6303
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 53.87%
||
7 Day CHG~0.00%
Published-14 Jan, 2020 | 17:52
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6370
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.64%
||
7 Day CHG~0.00%
Published-20 Oct, 2020 | 13:32
Updated-04 Aug, 2024 | 09:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_design_time_repositorySAP NetWeaver (DI Design Time Repository)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29188
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.42% / 62.30%
||
7 Day CHG~0.00%
Published-09 May, 2023 | 00:57
Updated-28 Jan, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI

SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29112
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-3.7||LOW
EPSS-0.40% / 61.02%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 03:03
Updated-07 Feb, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring)

The SAP Application Interface (Message Monitoring) - versions 600, 700, allows an authorized attacker to input links or headings with custom CSS classes into a comment. The comment will render links and custom CSS classes as HTML objects. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-application_interfaceApplication Interface Framework (Message Monitoring)
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0316
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 41.82%
||
7 Day CHG~0.00%
Published-14 Jun, 2019 | 18:50
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_process_integrationSAP NetWeaver Process Integration(SAP_XIESR)SAP NetWeaver Process Integration(SAP_XITOOL)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0244
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.30%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI (SAPSCORE)SAP CRM WebClient UI (S4FND)SAP CRM WebClient UI (WEBCUIF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0308
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.8||MEDIUM
EPSS-0.22% / 44.51%
||
7 Day CHG~0.00%
Published-12 Jun, 2019 | 14:21
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.

Action-Not Available
Vendor-SAP SE
Product-e-commerceSAP E-Commerce (Business-to-Consumer application)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0378
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.24%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:25
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the file name of the background image resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0269
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.84%
||
7 Day CHG~0.00%
Published-12 Mar, 2019 | 22:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence Platform (BI Workspace)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0262
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.40%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_bi_platformSAP WebIntelligence BILaunchPad (Enterprise)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0245
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.30%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI (SAPSCORE)SAP CRM WebClient UI (S4FND)SAP CRM WebClient UI (WEBCUIF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0334
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.49%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 13:48
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking. The attacker could also access other sensitive information, leading to Stored Cross Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence Platform (BI Workspace)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0368
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 52.20%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:17
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-customer_relationship_management_bbpcrmcustomer_relationship_management_s4crmSAP Customer Relationship Management (Email Management - BBPCRM)SAP Customer Relationship Management (Email Management - S4CRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0385
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 52.66%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 21:57
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-enable_nowSAP Enable Now
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0374
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.39% / 59.93%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:21
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2405
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 37.65%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSAP Solution Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2432
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.40% / 60.74%
||
7 Day CHG~0.00%
Published-10 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4.10, 4.20 and 4.30 allow an attacker to include invalidated data in the HTTP response header sent to a Web user. Successful exploitation of this vulnerability may lead to advanced attacks, including: cross-site scripting and page hijacking.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2410
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 51.51%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-business_oneSAP Business One
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6266
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.04%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 12:51
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection.

Action-Not Available
Vendor-SAP SE
Product-fioriSAP Fiori for SAP S/4HANA
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-26828
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.91%
||
7 Day CHG~0.00%
Published-09 Dec, 2020 | 16:30
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheet

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management.
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-31598
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 28.71%
||
7 Day CHG~0.00%
Published-12 Jul, 2022 | 20:26
Updated-03 Aug, 2024 | 07:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformSAP Business Objects
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2023-23851
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.46%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:11
Updated-21 Mar, 2025 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system.

Action-Not Available
Vendor-SAP SE
Product-business_planning_and_consolidationBusiness Planning and Consolidation
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-23855
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 37.32%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:14
Updated-20 Mar, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSolution Manager
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-21734
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-3.7||LOW
EPSS-0.15% / 35.70%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 00:54
Updated-14 Nov, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
URL Redirection vulnerability in SAP Marketing (Contacts App)

SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-marketingSAP Marketing (Contacts App)
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2021-21445
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-12 Jan, 2021 | 14:42
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking.

Action-Not Available
Vendor-SAP SE
Product-commerce_cloudSAP Commerce Cloud
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2014-5172
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 67.34%
||
7 Day CHG~0.00%
Published-31 Jul, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the XS Administration Tools in SAP HANA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-hanan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23192
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-8.2||HIGH
EPSS-0.36% / 58.17%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 00:10
Updated-23 Oct, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)

SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence (BI Workspace)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6281
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.25%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 12:30
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (BI Launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-3134
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.89%
||
7 Day CHG~0.00%
Published-30 Apr, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aSAP SE
Product-businessobjectsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1964
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.89%
||
7 Day CHG~0.00%
Published-14 Feb, 2014 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to the ESR application and a DIR error.

Action-Not Available
Vendor-n/aSAP SE
Product-netweaver_exchange_infrastructure_\(bc-xi\)netweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1965
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.89%
||
7 Day CHG~0.00%
Published-14 Feb, 2014 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in ISpeakAdapter in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component 3.0, 7.00 through 7.02, and 7.10 through 7.11 for SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to PIP.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6367
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-8.2||HIGH
EPSS-1.25% / 79.50%
||
7 Day CHG~0.00%
Published-20 Oct, 2020 | 13:32
Updated-04 Aug, 2024 | 09:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end users browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified.

Action-Not Available
Vendor-SAP SE
Product-netweaver_composite_application_frameworkSAP NetWeaver Composite Application Framework
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-49577
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 28.57%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 01:04
Updated-02 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution)

The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-human_capital_managementSAP HCM (SMART PAYE solution)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6205
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.51% / 66.46%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:20
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content and/or steal authentication information of the user and/or impersonate the user and access all information with the same rights as the target user, leading to Reflected Cross Site Scripting Vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesSAP NetWeaver Application Server ABAP (Smart Forms) - SAP_BASIS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 282
  • 283
  • Next
Details not found