Vulnerabilities in SAP SE
778 resultsVexday analysis
Com 778 CVEs catalogadas, o portfólio da SAP SE apresenta uma taxa de exploração ativa 1,7 vez acima da média geral do catálogo CISA KEV, indicando que vulnerabilidades nessa plataforma atraem atenção proporcional de agentes de ameaça. O tipo de falha mais recorrente é CWE-119 (erros de manipulação de memória), um vetor historicamente associado a impacto elevado de execução de código. A CVE mais crítica em exploração ativa, CVE-2020-6287, — neste caso CVE-2020-6207 — registra EPSS de 0,9838, sinalizando probabilidade muito alta de exploração observada na prática e justificando priorização imediata de remediação. Além disso, 18 vulnerabilidades possuem PoC pública e 46 são de severidade crítica, ampliando a superfície de risco para organizações que ainda não aplicaram os patches correspondentes.
CVE-2018-2413MEDIUMSAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileEPSS 1.5%CVE-2020-6263MEDIUMStandalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7EPSS 1.4%CVE-2021-21446HIGHSAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accesEPSS 1.4%CVE-2018-2412LOWSAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileEPSS 1.4%CVE-2020-6275HIGHSAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request ForgEPSS 1.4%CVE-2020-26830HIGHSAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated uEPSS 1.4%CVE-2019-0315—Under certain conditions the PI Integration Builder Web UI of SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.EPSS 1.4%CVE-2019-0270—ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalaEPSS 1.4%CVE-2019-0258—SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalationEPSS 1.4%CVE-2022-28773—Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial EPSS 1.4%CVE-2019-0365—SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC, before versions 7.21, 7.21EXT, 7EPSS 1.4%CVE-2022-28772—By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher - versions 7.53, 7.77, 7.81, 7.EPSS 1.4%CVE-2021-21493MEDIUMWhen a user opens manipulated Graphics Interchange Format (.GIF) format files received from untrusted sources in SAP 3D Visual Enterprise ViEPSS 1.4%CVE-2020-26815HIGHSAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request tEPSS 1.4%CVE-2019-0257—Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7EPSS 1.4%CVE-2020-6240MEDIUMSAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticateEPSS 1.4%CVE-2021-27595MEDIUMWhen a user opens manipulated Portable Document Format (.PDF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the EPSS 1.4%CVE-2020-6198CRITICALSAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker EPSS 1.4%CVE-2022-26101—Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulneEPSS 1.4%CVE-2022-24399—The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file usingEPSS 1.4%