Vulnerabilities in SAP SE
778 resultsVexday analysis
Com 778 CVEs catalogadas, o portfólio da SAP SE apresenta uma taxa de exploração ativa 1,7 vez acima da média geral do catálogo CISA KEV, indicando que vulnerabilidades nessa plataforma atraem atenção proporcional de agentes de ameaça. O tipo de falha mais recorrente é CWE-119 (erros de manipulação de memória), um vetor historicamente associado a impacto elevado de execução de código. A CVE mais crítica em exploração ativa, CVE-2020-6287, — neste caso CVE-2020-6207 — registra EPSS de 0,9838, sinalizando probabilidade muito alta de exploração observada na prática e justificando priorização imediata de remediação. Além disso, 18 vulnerabilidades possuem PoC pública e 46 são de severidade crítica, ampliando a superfície de risco para organizações que ainda não aplicaram os patches correspondentes.
CVE-2021-27592MEDIUMWhen a user opens manipulated Universal 3D (.U3D) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application EPSS 1.4%CVE-2018-2484—SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, EPSS 1.4%CVE-2021-27587MEDIUMWhen a user opens manipulated Jupiter Tessellation (.JT) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer verEPSS 1.4%CVE-2021-27585MEDIUMWhen a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise VieEPSS 1.4%CVE-2020-6265CRITICALSAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass EPSS 1.4%CVE-2019-0318—Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows anEPSS 1.4%CVE-2020-6196HIGHSAP BusinessObjects Mobile (MobileBIService), version 4.2, allows an attacker to generate multiple requests, using which he can block all thEPSS 1.4%CVE-2018-2417MEDIUMUnder certain conditions, the SAP Identity Management 8.0 (pass of type ToASCII) allows an attacker to access information which would otherwEPSS 1.4%CVE-2019-0389—An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may changEPSS 1.3%CVE-2020-26821CRITICALSAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorizatEPSS 1.3%CVE-2022-22543—SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) - versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.EPSS 1.3%CVE-2019-0321—ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-SEPSS 1.3%CVE-2020-6296HIGHSAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to EPSS 1.3%CVE-2019-0329—SAP Information Steward, version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerabiEPSS 1.3%CVE-2019-0281—SAPUI5 and OpenUI5, before versions 1.38.39, 1.44.39, 1.52.25, 1.60.6 and 1.63.0, does not sufficiently encode user-controlled inputs, resulEPSS 1.3%CVE-2021-27634HIGHSAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.EPSS 1.3%CVE-2018-2399MEDIUMCross-Site Scripting in Process Monitoring Infrastructure, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to inefficient encoding of uEPSS 1.3%CVE-2019-0298—SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSEPSS 1.3%CVE-2019-0326—SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-coEPSS 1.3%CVE-2020-6238CRITICALSAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading toEPSS 1.3%