Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-29610

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-11 May, 2022 | 14:56
Updated At-03 Aug, 2024 | 06:26
Rejected At-
Credits

SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:11 May, 2022 | 14:56
Updated At:03 Aug, 2024 | 06:26
Rejected At:
▼CVE Numbering Authority (CNA)

SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.

Affected Products
Vendor
SAP SESAP SE
Product
SAP NetWeaver Application Server ABAP
Versions
Affected
  • 753
  • 754
  • 755
  • 756
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79
Type: CWE
CWE ID: CWE-79
Description: CWE-79
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/3146336
x_refsource_MISC
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Resource:
x_refsource_MISC
Hyperlink: https://launchpad.support.sap.com/#/notes/3146336
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
x_refsource_MISC
x_transferred
https://launchpad.support.sap.com/#/notes/3146336
x_refsource_MISC
x_transferred
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://launchpad.support.sap.com/#/notes/3146336
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:11 May, 2022 | 15:15
Updated At:19 May, 2022 | 03:18

SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
SAP SE
sap
>>netweaver_application_server_abap>>753
cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>754
cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>755
cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_abap>>756
cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarycna@sap.com
CWE ID: CWE-79
Type: Primary
Source: cna@sap.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://launchpad.support.sap.com/#/notes/3146336cna@sap.com
Permissions Required
Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlcna@sap.com
Vendor Advisory
Hyperlink: https://launchpad.support.sap.com/#/notes/3146336
Source: cna@sap.com
Resource:
Permissions Required
Vendor Advisory
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Source: cna@sap.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12692Records found
CVE-2019-0308
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.8||MEDIUM
EPSS-0.28% / 50.77%
||
7 Day CHG~0.00%
Published-12 Jun, 2019 | 14:21
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.

Action-Not Available
Vendor-SAP SE
Product-e-commerceSAP E-Commerce (Business-to-Consumer application)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0385
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 56.72%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 21:57
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-enable_nowSAP Enable Now
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0245
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.21%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI (SAPSCORE)SAP CRM WebClient UI (S4FND)SAP CRM WebClient UI (WEBCUIF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47594
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 35.62%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 03:21
Updated-14 Nov, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)

SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised.

Action-Not Available
Vendor-SAP SE
Product-netweaver_enterprise_portalSAP NetWeaver Enterprise Portal (KMC)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0262
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.28%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_bi_platformSAP WebIntelligence BILaunchPad (Enterprise)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0377
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 52.69%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:24
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the input controls, resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0368
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.21%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:17
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-customer_relationship_management_bbpcrmcustomer_relationship_management_s4crmSAP Customer Relationship Management (Email Management - BBPCRM)SAP Customer Relationship Management (Email Management - S4CRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0244
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.21%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI (SAPSCORE)SAP CRM WebClient UI (S4FND)SAP CRM WebClient UI (WEBCUIF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-45278
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 35.62%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 03:21
Updated-14 Nov, 2024 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice

SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-commerce_backofficeSAP Commerce Backofficesap_commerce_backoffice
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0382
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 56.72%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 21:59
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Privileges are required in order to exploit this vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0275
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.39%
||
7 Day CHG~0.00%
Published-12 Mar, 2019 | 22:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver Java Application Server (J2EE-APPS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0378
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 52.69%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:25
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the file name of the background image resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0395
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.50% / 64.79%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 21:34
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0375
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 63.23%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:22
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0369
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.21%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:19
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-financial_consolidationSAP Financial Consolidation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0254
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.28%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41735
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 35.62%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 03:49
Updated-12 Sep, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice

SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-commerce_backofficeSAP Commerce Backoffice
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0316
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 46.79%
||
7 Day CHG~0.00%
Published-14 Jun, 2019 | 18:50
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_process_integrationSAP NetWeaver Process Integration(SAP_XIESR)SAP NetWeaver Process Integration(SAP_XITOOL)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27902
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.60% / 68.42%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 00:45
Updated-26 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)

Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abapSAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2397
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.48%
||
7 Day CHG~0.00%
Published-14 Mar, 2018 | 19:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In SAP Business Objects Business Intelligence Platform, 4.00, 4.10, 4.20, 4.30, the Central Management Console (CMC) does not sufficiently encode user controlled inputs which results in Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-22129
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 58.67%
||
7 Day CHG~0.00%
Published-13 Feb, 2024 | 03:40
Updated-16 Oct, 2024 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP Companion

SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application.

Action-Not Available
Vendor-SAP SE
Product-companionSAP Companion
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2486
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.42% / 61.28%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 23:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-marketing_sapscoremarketing_uicuanSAP Marketing (UICUAN)SAP Marketing (SAPSCORE)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-22130
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-7.6||HIGH
EPSS-0.38% / 58.67%
||
7 Day CHG~0.00%
Published-13 Feb, 2024 | 02:29
Updated-09 May, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI

Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation.

Action-Not Available
Vendor-SAP SE
Product-crm_-_webclient_uiSAP CRM WebClient UI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-21738
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-4.1||MEDIUM
EPSS-0.20% / 42.10%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 01:19
Updated-03 Jun, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform

SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver ABAP Application Server and ABAP Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35294
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.67% / 70.44%
||
7 Day CHG~0.00%
Published-13 Sep, 2022 | 15:43
Updated-03 Aug, 2024 | 09:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver AS ABAP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35297
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.84% / 73.76%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 09:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The application SAP Enable Now does not sufficiently encode user-controlled inputs over the network before it is placed in the output being served to other users, thereby expanding the attack scope, resulting in Stored Cross-Site Scripting (XSS) vulnerability leading to limited impact on Confidentiality, Integrity and Availability.

Action-Not Available
Vendor-SAP SE
Product-enable_nowSAP Enable Now
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33664
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.71%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 13:32
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-27601
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.61%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 18:43
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS for Java (Applications based on HTMLB for Java)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6257
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.61%
||
7 Day CHG~0.00%
Published-12 May, 2020 | 17:53
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (CMC and BI launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6368
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 58.88%
||
7 Day CHG~0.00%
Published-15 Oct, 2020 | 01:54
Updated-04 Aug, 2024 | 09:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-business_planning_and_consolidationSAP Business Planning and Consolidation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6226
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.47%
||
7 Day CHG~0.00%
Published-14 Apr, 2020 | 18:33
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21445
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.65%
||
7 Day CHG~0.00%
Published-12 Jan, 2021 | 14:42
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking.

Action-Not Available
Vendor-SAP SE
Product-commerce_cloudSAP Commerce Cloud
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2022-31598
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 29.80%
||
7 Day CHG~0.00%
Published-12 Jul, 2022 | 20:26
Updated-03 Aug, 2024 | 07:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformSAP Business Objects
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2023-23851
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.99%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:11
Updated-21 Mar, 2025 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system.

Action-Not Available
Vendor-SAP SE
Product-business_planning_and_consolidationBusiness Planning and Consolidation
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-23855
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 17.55%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:14
Updated-20 Mar, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSolution Manager
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-21734
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-3.7||LOW
EPSS-0.15% / 36.70%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 00:54
Updated-14 Nov, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
URL Redirection vulnerability in SAP Marketing (Contacts App)

SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-marketingSAP Marketing (Contacts App)
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-6266
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.86%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 12:51
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection.

Action-Not Available
Vendor-SAP SE
Product-fioriSAP Fiori for SAP S/4HANA
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2018-2464
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 60.95%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaverSAP WebDynpro
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2431
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 60.95%
||
7 Day CHG~0.00%
Published-10 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2371
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.90%
||
7 Day CHG~0.00%
Published-14 Feb, 2018 | 12:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_java_web_applicationSAP NetWeaver Java Web Application
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2364
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.90%
||
7 Day CHG~0.00%
Published-14 Feb, 2018 | 12:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndcustomer_relationship_management_webclient_uiSAP CRM WebClient UIS4FND
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2365
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.90%
||
7 Day CHG~0.00%
Published-01 Mar, 2018 | 17:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_portalSAP NetWeaver Portal WebDynpro RunTime
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2399
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 42.12%
||
7 Day CHG~0.00%
Published-14 Mar, 2018 | 19:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Scripting in Process Monitoring Infrastructure, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to inefficient encoding of user controlled inputs.

Action-Not Available
Vendor-SAP SE
Product-process_monitoring_infrastructureSAP Process Monitoring Infrastructure
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2502
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 59.31%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 23:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3).

Action-Not Available
Vendor-SAP SE
Product-business_one_on_hanaSAP Business One Service Layer (B1_ON_HANA)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2388
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 49.31%
||
7 Day CHG~0.00%
Published-14 Feb, 2018 | 12:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting vulnerability in SAP internet Graphics Server, 7.20, 7.20EXT, 7.45, 7.49, 7.53.

Action-Not Available
Vendor-SAP SE
Product-internet_graphics_serverSAP Internet Graphics Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2505
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.44% / 62.41%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 23:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7).

Action-Not Available
Vendor-SAP SE
Product-hybrisSAP Commerce (SAP Hybris Commerce)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2435
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 60.95%
||
7 Day CHG~0.00%
Published-10 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_enterprise_portalSAP NetWeaver Enterprise Portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2472
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 61.98%
||
7 Day CHG~0.00%
Published-09 Oct, 2018 | 13:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_bi_platformSAP BusinessObjects Business Intelligence Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-2452
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.57% / 67.56%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS Java
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-2103
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-21.77% / 95.53%
||
7 Day CHG~0.00%
Published-27 May, 2010 | 22:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-3comn/aThe Apache Software FoundationSAP SE
Product-intelligent_management_centeraxis2business_objectsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 253
  • 254
  • Next
Details not found