Vulnerabilities in SAP SE

778 results
Vexday analysis

Com 778 CVEs catalogadas, o portfólio da SAP SE apresenta uma taxa de exploração ativa 1,7 vez acima da média geral do catálogo CISA KEV, indicando que vulnerabilidades nessa plataforma atraem atenção proporcional de agentes de ameaça. O tipo de falha mais recorrente é CWE-119 (erros de manipulação de memória), um vetor historicamente associado a impacto elevado de execução de código. A CVE mais crítica em exploração ativa, CVE-2020-6287, — neste caso CVE-2020-6207 — registra EPSS de 0,9838, sinalizando probabilidade muito alta de exploração observada na prática e justificando priorização imediata de remediação. Além disso, 18 vulnerabilidades possuem PoC pública e 46 são de severidade crítica, ampliando a superfície de risco para organizações que ainda não aplicaram os patches correspondentes.

CVE-2022-35290HIGHUnder certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted.EPSS 0.7%CVE-2020-6231MEDIUMSAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controEPSS 0.6%CVE-2020-6326MEDIUMSAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, wheEPSS 0.6%CVE-2020-6226MEDIUMSAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controEPSS 0.6%CVE-2019-0361SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently EPSS 0.6%CVE-2020-6221MEDIUMWeb Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode userEPSS 0.6%CVE-2020-6214MEDIUMSAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reporEPSS 0.6%CVE-2020-26825MEDIUMSAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad EPSS 0.6%CVE-2020-6323SAP NetWeaver Enterprise Portal (Fiori Framework Page) versions - 7.50, 7.31, 7.40, does not sufficiently encode user-controlled inputs and EPSS 0.6%CVE-2021-27598MEDIUMSAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data lEPSS 0.6%CVE-2021-21445MEDIUMSAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP responEPSS 0.6%CVE-2020-6291MEDIUMSAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authentEPSS 0.6%CVE-2019-0316SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validaEPSS 0.6%CVE-2021-42067In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker EPSS 0.6%CVE-2021-33688SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to fraEPSS 0.6%CVE-2020-6195MEDIUMSAP Business Objects Business Intelligence Platform (CMC), version 4.1, 4.2, shows cleartext password in the response, leading to InformatioEPSS 0.6%CVE-2020-6204MEDIUMThe selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618EPSS 0.6%CVE-2020-6256MEDIUMSAP Master Data Governance, versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804, allows users to display change request details withEPSS 0.6%CVE-2022-29612SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22EPSS 0.6%CVE-2022-35293CRITICALDue to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user's account. On successful exploiEPSS 0.6%