Vulnerabilidades en SAP SE
778 resultadosAnálisis Vexday
Com 778 CVEs catalogadas, o portfólio da SAP SE apresenta uma taxa de exploração ativa 1,7 vez acima da média geral do catálogo CISA KEV, indicando que vulnerabilidades nessa plataforma atraem atenção proporcional de agentes de ameaça. O tipo de falha mais recorrente é CWE-119 (erros de manipulação de memória), um vetor historicamente associado a impacto elevado de execução de código. A CVE mais crítica em exploração ativa, CVE-2020-6287, — neste caso CVE-2020-6207 — registra EPSS de 0,9838, sinalizando probabilidade muito alta de exploração observada na prática e justificando priorização imediata de remediação. Além disso, 18 vulnerabilidades possuem PoC pública e 46 são de severidade crítica, ampliando a superfície de risco para organizações que ainda não aplicaram os patches correspondentes.
CVE-2019-0356—Under certain conditions SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIAF (before versions 7.31, 7.40, 7.50) allEPSS 0.7%CVE-2019-0364—Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate EPSS 0.7%CVE-2021-21474—SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML AssEPSS 0.7%CVE-2021-21483HIGHUnder certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information whichEPSS 0.7%CVE-2019-0346—Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to dEPSS 0.7%CVE-2019-0393—An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry ouEPSS 0.7%CVE-2020-6183MEDIUMSAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the EPSS 0.7%CVE-2019-0340—The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML ValidatiEPSS 0.7%CVE-2019-0348—SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, eEPSS 0.7%CVE-2022-28217—Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which alEPSS 0.7%CVE-2019-0334—When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to storeEPSS 0.7%CVE-2022-29619—Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit oEPSS 0.7%CVE-2020-26834MEDIUMSAP HANA Database, version - 2.0, does not correctly validate the username when performing SAML bearer token-based user authentication. It iEPSS 0.7%CVE-2020-6258MEDIUMSAP Identity Management, version 8.0, does not perform necessary authorization checks for an authenticated user, allowing the attacker to viEPSS 0.7%CVE-2022-32236—When a user opens manipulated Windows Bitmap (.bmp, 2d.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the apEPSS 0.7%CVE-2022-32247—SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, is susceptible to script execution attack by an unautheEPSS 0.7%CVE-2022-26104—SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for anEPSS 0.7%CVE-2020-6188MEDIUMVAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP SEPSS 0.7%CVE-2020-6268MEDIUMStatutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versionEPSS 0.7%CVE-2020-6283MEDIUMSAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the lauEPSS 0.7%