Code injection

A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator BWA. The vendor response is SAP Security Note 2419592...

CVE-2017-7691

A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator BWA. The vendor response is SAP Security Note 2419592...

CVE-2017-7691

The CVE-2017-7691 entry concerns a code-injection/remote code execution vulnerability in SAP TREX and the Business Warehouse Accelerator (BWA). The root cause described across sources is an insecure protocol/engine interaction within TREX that could be exploited to inject and execute code on the ...

CVE-2016-10310

Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service resource consumption and process crash by sending a crafted packet several times, aka SAP Security Note 2308778...

Buffer overflow

Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service resource consumption and process crash by sending a crafted packet several times, aka SAP Security Note 2308778...

CVE-2016-10311

Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238...

Stack overflow

Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238...

CVE-2016-10310

Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service resource consumption and process crash by sending a crafted packet several times, aka SAP Security Note 2308778...

Design/Logic Flaw

The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service out-of-memory error and service instability via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788...

CVE-2016-10304

The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service out-of-memory error and service instability via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788...

CVE-2016-10304

The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service out-of-memory error and service instability via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788...

Design/Logic Flaw

SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616...

CVE-2017-6950

SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616...

CVE-2017-6950

CVE-2017-6950 affects SAP GUI for Windows 7.2–7.5. The vulnerability allows remote code execution on the client by presenting crafted ABAP code, bypassing intended security policy restrictions (SAP Security Note 2407616). Exploitation would occur on vulnerable SAP GUI endpoints, enabling an attac...

SAP NetWeaver UMEADMIN 7.50 Directory Creation

Application: SAP NetWeaver Versions Affected: SAP NetWeaver AS JAVA UMEADMIN component Vendor URL: http://SAP.com Bugs: Directory traversal Reported: 04.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 13.12.2016 Reference: SAP Security Note 2310790 Author: Mathieu Geli ERPScan...

Cross site scripting

Cross-site scripting XSS vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor response is SAP Securit...

CVE-2017-6061

The CVE covers a Cross-Site Scripting (XSS) vulnerability in the SAP BusinessObjects Financial Consolidation 10.0.0.1933 product, exposed through the help component. Specifically, an attacker can trigger XSS by crafting a GET request to the help UI, notably /finance/help/en/frameset.htm, potentia...

SAP POS Missing Authentication in XpressServer

Application: SAP POS Xpress Server Vendor URL: SAP Bugs: Missing Authentication Reported: 03.04.2017 Vendor response: 04.04.2017 Date of Public Advisory: 11.07.2017 Reference: SAP Security Note 2520064 Author: Dmitry Chastuhin ERPScan VULNERABILITY INFORMATION Class: Missing Authentication Check...

SAP Hostcontrol unprotected web method / DOS

Application: SAP Host Agent Versions Affected: SAP Host Agent 7.21 Vendor URL: SAP Bugs: Missing Authentication Reported: 27.02.2017 Vendor response: 28.02.2017 Date of Public Advisory: 11.07.2017 Reference: SAP Security Note 2442993 Author: Mathieu Geli ERPScan VULNERABILITY INFORMATION Class:...

Design/Logic Flaw

The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service memory consumption and process crash via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972...