Vulnerabilidades em SAP SE
778 resultadosAnálise Vexday
Com 778 CVEs catalogadas, o portfólio da SAP SE apresenta uma taxa de exploração ativa 1,7 vez acima da média geral do catálogo CISA KEV, indicando que vulnerabilidades nessa plataforma atraem atenção proporcional de agentes de ameaça. O tipo de falha mais recorrente é CWE-119 (erros de manipulação de memória), um vetor historicamente associado a impacto elevado de execução de código. A CVE mais crítica em exploração ativa, CVE-2020-6287, — neste caso CVE-2020-6207 — registra EPSS de 0,9838, sinalizando probabilidade muito alta de exploração observada na prática e justificando priorização imediata de remediação. Além disso, 18 vulnerabilidades possuem PoC pública e 46 são de severidade crítica, ampliando a superfície de risco para organizações que ainda não aplicaram os patches correspondentes.
CVE-2021-42068—When a user opens a manipulated GIF (.gif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the applicEPSS 0.5%CVE-2021-33689LOWWhen user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version EPSS 0.5%CVE-2021-33666MEDIUMWhen SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, coulEPSS 0.5%CVE-2022-32237—When a user opens manipulated Computer Graphics Metafile (.cgm, CgmCore.dll) files received from untrusted sources in SAP 3D Visual EnterpriEPSS 0.5%CVE-2022-32241—When a user opens manipulated Portable Document Format (.pdf, PDFView.x3d) files received from untrusted sources in SAP 3D Visual EnterpriseEPSS 0.5%CVE-2022-32240—When a user opens manipulated Jupiter Tesselation (.jt, JTReader.x3d) files received from untrusted sources in SAP 3D Visual Enterprise ViewEPSS 0.5%CVE-2022-41189HIGHDue to lack of proper memory management, when a victim opens a manipulated AutoCAD (.dwg, TeighaTranslator.exe) file received from untrustedEPSS 0.5%CVE-2022-41202HIGHDue to lack of proper memory management, when a victim opens a manipulated Visual Design Stream (.vds, vds.x3d) file received from untrustedEPSS 0.5%CVE-2022-41198—Due to lack of proper memory management, when a victim opens a manipulated SketchUp (.skp, SketchUp.x3d) file received from untrusted sourceEPSS 0.5%CVE-2021-33695MEDIUMPotentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate.EPSS 0.5%CVE-2020-6278MEDIUMSAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scriEPSS 0.5%CVE-2020-6303MEDIUMSAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting.EPSS 0.5%CVE-2020-6200MEDIUMThe SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variantEPSS 0.5%CVE-2020-6312MEDIUMSAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), versions - 4.1, 4.2, allows an attacker with a non-admEPSS 0.5%CVE-2020-6185MEDIUMUnder certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.5EPSS 0.5%CVE-2020-6257MEDIUMSAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resultinEPSS 0.5%CVE-2020-6272MEDIUMSAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorizedEPSS 0.5%CVE-2021-21447MEDIUMSAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payloEPSS 0.5%CVE-2020-6300MEDIUMSAP Business Objects Business Intelligence Platform (Central Management Console), versions- 4.2, 4.3, allows an attacker with administrator EPSS 0.5%CVE-2019-0369—SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker toEPSS 0.5%