Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-33984

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-13 Jun, 2023 | 02:44
Updated At-03 Jan, 2025 | 02:04
Rejected At-
Credits

Cross-Site Scripting (XSS) vulnerability in NetWeaver (Design Time Repository)

SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:13 Jun, 2023 | 02:44
Updated At:03 Jan, 2025 | 02:04
Rejected At:
▼CVE Numbering Authority (CNA)
Cross-Site Scripting (XSS) vulnerability in NetWeaver (Design Time Repository)

SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability.

Affected Products
Vendor
SAP SESAP_SE
Product
SAP NetWeaver (Design Time Repository)
Default Status
unaffected
Versions
Affected
  • 7.50
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://launchpad.support.sap.com/#/notes/3318657
N/A
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
N/A
Hyperlink: https://launchpad.support.sap.com/#/notes/3318657
Resource: N/A
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://launchpad.support.sap.com/#/notes/3318657
x_transferred
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
x_transferred
Hyperlink: https://launchpad.support.sap.com/#/notes/3318657
Resource:
x_transferred
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:13 Jun, 2023 | 03:15
Updated At:20 Jun, 2023 | 19:37

SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Secondary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches
SAP SE
sap
>>netweaver>>7.50
cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarycna@sap.com
CWE ID: CWE-79
Type: Primary
Source: cna@sap.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://launchpad.support.sap.com/#/notes/3318657cna@sap.com
Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlcna@sap.com
Vendor Advisory
Hyperlink: https://launchpad.support.sap.com/#/notes/3318657
Source: cna@sap.com
Resource:
Permissions Required
Hyperlink: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Source: cna@sap.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

9765Records found
CVE-2019-0376
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 52.69%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:23
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0374
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 63.23%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:21
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0395
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.50% / 64.79%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 21:34
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0378
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 52.69%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:25
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the file name of the background image resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0375
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 63.23%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:22
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0368
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.21%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:17
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-customer_relationship_management_bbpcrmcustomer_relationship_management_s4crmSAP Customer Relationship Management (Email Management - BBPCRM)SAP Customer Relationship Management (Email Management - S4CRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0377
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 52.69%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:24
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the input controls, resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-45278
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 35.60%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 03:21
Updated-14 Nov, 2024 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice

SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-commerce_backofficeSAP Commerce Backofficesap_commerce_backoffice
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33664
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.71%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 13:32
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-27601
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.59%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 18:43
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaSAP NetWeaver AS for Java (Applications based on HTMLB for Java)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6257
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.59%
||
7 Day CHG~0.00%
Published-12 May, 2020 | 17:53
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (CMC and BI launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6368
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 58.88%
||
7 Day CHG~0.00%
Published-15 Oct, 2020 | 01:54
Updated-04 Aug, 2024 | 09:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-business_planning_and_consolidationSAP Business Planning and Consolidation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6226
Matching Score-10
Assigner-SAP SE
ShareView Details
Matching Score-10
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.46%
||
7 Day CHG~0.00%
Published-14 Apr, 2020 | 18:33
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23855
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 17.58%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:14
Updated-20 Mar, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSolution Manager
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2023-23851
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.97%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:11
Updated-21 Mar, 2025 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system.

Action-Not Available
Vendor-SAP SE
Product-business_planning_and_consolidationBusiness Planning and Consolidation
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-21736
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.01%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 01:15
Updated-17 Apr, 2025 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)

SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application.

Action-Not Available
Vendor-SAP SE
Product-s\/4hana_financeSAP S/4HANA Finance (Advanced Payment Management)
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-21734
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-3.7||LOW
EPSS-0.15% / 36.68%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 00:54
Updated-14 Nov, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
URL Redirection vulnerability in SAP Marketing (Contacts App)

SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-marketingSAP Marketing (Contacts App)
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-26828
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.27%
||
7 Day CHG~0.00%
Published-09 Dec, 2020 | 16:30
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheet

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management.
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2021-21445
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.65%
||
7 Day CHG~0.00%
Published-12 Jan, 2021 | 14:42
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking.

Action-Not Available
Vendor-SAP SE
Product-commerce_cloudSAP Commerce Cloud
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2022-31598
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 29.79%
||
7 Day CHG~0.00%
Published-12 Jul, 2022 | 20:26
Updated-03 Aug, 2024 | 07:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformSAP Business Objects
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2023-49587
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-6.4||MEDIUM
EPSS-0.11% / 30.42%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 01:35
Updated-26 Nov, 2024 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection vulnerability in SAP Solution Manager

SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over the network.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSAP Solution Manager
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-6266
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.85%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 12:51
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection.

Action-Not Available
Vendor-SAP SE
Product-fioriSAP Fiori for SAP S/4HANA
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-33007
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-3.5||LOW
EPSS-0.14% / 34.32%
||
7 Day CHG~0.00%
Published-14 May, 2024 | 03:44
Updated-30 Oct, 2024 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Client-side script execution vulnerability in SAP UI5(PDFViewer)

PDFViewer is a control delivered as part of SAPUI5 product which shows the PDF content in an embedded mode by default. If a PDF document contains embedded JavaScript (or any harmful client-side script), the PDFViewer will execute the JavaScript embedded in the PDF which can cause a potential security threat.

Action-Not Available
Vendor-SAP SE
Product-SAPUI5 (PDFViewer)sapui5
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24521
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.60% / 68.42%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:16
Updated-21 Mar, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to insufficient input sanitization, SAP NetWeaver AS ABAP (BSP Framework) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesNetWeaver AS ABAP (BSP Framework)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23859
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.44% / 62.42%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:15
Updated-20 Mar, 2025 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapNetWeaver AS for ABAP and ABAP Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24529
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 52.22%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:19
Updated-20 Mar, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abap_business_server_pagesNetWeaver AS ABAP (Business Server Pages application)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-32733
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.09% / 25.74%
||
7 Day CHG~0.00%
Published-14 May, 2024 | 03:38
Updated-02 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server ABAP and ABAP Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0298
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 56.70%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 20:22
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Fixed in the following components SAP-CRMJAV SAP-CRMWEB SAP-SHRWEB SAP-SHRJAV SAP-CRMAPP SAP-SHRAPP, versions 7.30, 7.31, 7.32, 7.33, 7.54.

Action-Not Available
Vendor-SAP SE
Product-e-commerceSAP E-Commerce (SAP-CRMJAV, SAP-CRMWEB, SAP-SHRWEB, SAP-SHRJAV, SAP-CRMAPP, SAP-SHRAPP)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33674
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 49.73%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 11:24
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability when creating a new email and to execute arbitrary code on the victim's browser.

Action-Not Available
Vendor-SAP SE
Product-contact_centerSAP Contact Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33691
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.9||MEDIUM
EPSS-0.23% / 45.86%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 18:01
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. If the victim has an active session when the crafted script gets executed, the threat actor could compromise information in victims session, and gain access to some sensitive information also.

Action-Not Available
Vendor-SAP SE
Product-netweaver_development_infrastructureSAP NetWeaver Development Infrastructure (Notification Service)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0245
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.20%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI (SAPSCORE)SAP CRM WebClient UI (S4FND)SAP CRM WebClient UI (WEBCUIF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33694
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-5.9||MEDIUM
EPSS-0.16% / 36.98%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 18:01
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.

Action-Not Available
Vendor-SAP SE
Product-cloud_connectorSAP Cloud Connector
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33703
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-8.3||HIGH
EPSS-0.67% / 70.33%
||
7 Day CHG~0.00%
Published-10 Aug, 2021 | 14:08
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions, NetWeaver Enterprise Portal, versions - 7.30, 7.31, 7.40, 7.50, does not sufficiently encode URL parameters. An attacker can craft a malicious link and send it to a victim. A successful attack results in Reflected Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_enterprise_portalSAP NetWeaver Enterprise Portal (Application Extensions)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33702
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-8.3||HIGH
EPSS-0.74% / 71.92%
||
7 Day CHG~0.00%
Published-10 Aug, 2021 | 14:08
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions, NetWeaver Enterprise Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode report data. An attacker can craft malicious data and print it to the report. In a successful attack, a victim opens the report, and the malicious script gets executed in the victim's browser, resulting in a Stored Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_enterprise_portalSAP NetWeaver Enterprise Portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-2932
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 58.70%
||
7 Day CHG~0.00%
Published-21 Aug, 2009 | 20:21
Updated-07 Aug, 2024 | 06:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in uddiclient/process in the UDDI client in SAP NetWeaver Application Server (Java) 7.0 allows remote attackers to inject arbitrary web script or HTML via the TModel Key field.

Action-Not Available
Vendor-n/aSAP SE
Product-netweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33666
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-4.7||MEDIUM
EPSS-0.15% / 36.10%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 13:32
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation.

Action-Not Available
Vendor-SAP SE
Product-commerce_cloudSAP Commerce Cloud
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-30214
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-4.8||MEDIUM
EPSS-0.15% / 35.89%
||
7 Day CHG+0.04%
Published-09 Apr, 2024 | 00:56
Updated-02 Aug, 2024 | 01:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP Business Connector

The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server response. Under certain circumstances, if the parameter contains a JavaScript, the script could be processed on client side.

Action-Not Available
Vendor-SAP SE
Product-SAP Business Connector
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33675
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 52.33%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 11:19
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability through phishing and to execute arbitrary code on the victim's browser.

Action-Not Available
Vendor-SAP SE
Product-contact_centerSAP Contact Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0319
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-0.97% / 75.73%
||
7 Day CHG~0.00%
Published-10 Jul, 2019 | 18:51
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not.

Action-Not Available
Vendor-SAP SE
Product-gatewayui5SAP Gateway
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-0385
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 56.71%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 21:57
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-enable_nowSAP Enable Now
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0238
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 55.43%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-hybrisSAP Commerce (ex. SAP Hybris Commerce)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0244
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 54.20%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-s4fndsapscorecustomer_relationship_management_webclient_uiSAP CRM WebClient UI (SAPSCORE)SAP CRM WebClient UI (S4FND)SAP CRM WebClient UI (WEBCUIF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0251
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 55.51%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-businessobjectsSAP BusinessObjects Business Intelligence Platform (Fiori Launchpad)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0361
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.82%
||
7 Day CHG~0.00%
Published-10 Sep, 2019 | 16:09
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-supplier_relationship_managementSAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-28165
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-8.1||HIGH
EPSS-0.35% / 57.00%
||
7 Day CHG~0.00%
Published-14 May, 2024 | 03:51
Updated-02 Aug, 2024 | 00:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL which could lead to high impact on Confidentiality and Integrity of the application

Action-Not Available
Vendor-SAP SE
Product-SAP BusinessObjects Business Intelligence Platformsap_business_objects_business_intgelligence_platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0329
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 56.70%
||
7 Day CHG~0.00%
Published-10 Jul, 2019 | 19:11
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Information Steward, version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-SAP SE
Product-information_stewardSAP Information Steward
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0335
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.27% / 50.61%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 13:44
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account. The payload is triggered when the mouse cursor is moved over the description field in the list, when generating the little yellow informational pop up box, resulting in Stored Cross Site Scripting Attack.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligenceSAP BusinessObjects Business Intelligence Platform (CMC)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-0308
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.8||MEDIUM
EPSS-0.28% / 50.77%
||
7 Day CHG~0.00%
Published-12 Jun, 2019 | 14:21
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.

Action-Not Available
Vendor-SAP SE
Product-e-commerceSAP E-Commerce (Business-to-Consumer application)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0018
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-10||CRITICAL
EPSS-0.50% / 65.14%
||
7 Day CHG~0.00%
Published-10 Jan, 2023 | 03:21
Updated-09 Apr, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)

Due to improper input sanitization of user-controlled input in SAP BusinessObjects Business Intelligence Platform CMC application - versions 420, and 430, an attacker with basic user-level privileges can modify/upload crystal reports containing a malicious payload. Once these reports are viewable, anyone who opens those reports would be susceptible to stored XSS attacks. As a result of the attack, information maintained in the victim's web browser can be read, modified, and sent to the attacker.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformBusinessObjects Business Intelligence Platform (Central management console)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-22128
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-4.7||MEDIUM
EPSS-0.52% / 65.96%
||
7 Day CHG~0.00%
Published-13 Feb, 2024 | 02:02
Updated-16 Oct, 2024 | 21:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML

SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.

Action-Not Available
Vendor-SAP SE
Product-netweaver_business_client_for_htmlSAP NetWeaver Business Client for HTML
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 195
  • 196
  • Next
Details not found