cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-54198,https://securityvulnerability.io/vulnerability/CVE-2024-54198,SAP NetWeaver Application Server ABAP Vulnerability: Authenticated Attacker Can Access Remote Services,"The vulnerability in the SAP NetWeaver Application Server ABAP allows authenticated attackers to exploit crafted Remote Function Call (RFC) requests targeting restricted destinations. This exposure may lead to unauthorized access to sensitive credentials utilized by remote services. Once compromised, these credentials pose a significant risk as they can be leveraged to execute further attacks, undermining the confidentiality, integrity, and availability of the application. Organizations utilizing affected versions should prioritize applying relevant security patches to mitigate potential security risks. For additional insights and patch information, refer to SAP's official documentation.",SAP,SAP Netweaver Application Server Abap,8.5,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-10T00:12:47.729Z,0
CVE-2024-54197,https://securityvulnerability.io/vulnerability/CVE-2024-54197,SAP NetWeaver Administrator Vulnerability Allows HTTP Endpoint Enumeration and SSRF Attacks,"The vulnerability in SAP NetWeaver Administrator allows an authenticated attacker to perform HTTP endpoint enumeration within the internal network by crafting specific HTTP requests. This exploitation could lead to Server-Side Request Forgery (SSRF), potentially compromising data confidentiality and integrity. The vulnerability does not affect the application's availability, but the resultant SSRF could allow attackers to interact with internal services, increasing the risk of broader network exploitation. Early mitigation is crucial to safeguard sensitive data and prevent unauthorized access.",SAP,SAP Netweaver Administrator(system Overview),7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-10T00:12:42.296Z,0
CVE-2024-47578,https://securityvulnerability.io/vulnerability/CVE-2024-47578,Adobe Document Service Vulnerability Allows Server-Side Request Forgery,"A vulnerability exists in Adobe Document Service that allows an attacker with administrator privileges to craft and send malicious requests from a vulnerable web application. This weakness typically targets internal systems shielded by firewalls, rendering them susceptible to external exploitation. Successfully executing this attack can enable a malicious user to read or modify files and potentially disrupt the functionality of the entire system. Organizations utilizing Adobe Document Service should promptly implement security measures and patches to mitigate the risks associated with this vulnerability.",SAP,SAP Netweaver As For Java (adobe Document Services),9.1,CRITICAL,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-10T00:11:57.435Z,0
CVE-2024-47595,https://securityvulnerability.io/vulnerability/CVE-2024-47595,"Attacker Could Replace Local Files, Causing High Impact on Confidentiality and Integrity","A local file replacement vulnerability exists within SAP systems, where an attacker with membership in the sapsys group can exploit this weakness to replace files normally protected by higher privilege levels. This exploitation can significantly undermine the confidentiality and integrity of the affected applications, leading to unauthorized access and modifications to sensitive data. Organizations using SAP applications should be vigilant and apply necessary security patches to mitigate potential risks associated with this vulnerability.",SAP,SAP Host Agent,7.1,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-12T00:27:23.692Z,0
CVE-2024-33003,https://securityvulnerability.io/vulnerability/CVE-2024-33003,OCC API Endpoints Vulnerable to PII Data Exposure,"A vulnerability has been identified in certain OCC API endpoints of SAP Commerce Cloud, which allows for the exposure of Personally Identifiable Information (PII). This issue occurs when sensitive data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, is included directly in the request URL, either as query or path parameters. The compromised integrity and confidentiality of this information can have serious repercussions, making it crucial for organizations using affected versions to assess their security posture. To mitigate the risks associated with this vulnerability, users are advised to apply the appropriate security patches and review their API endpoint configurations.",SAP,SAP Commerce Cloud,9.1,CRITICAL,0.000910000002477318,false,,false,false,false,,,false,false,,2024-08-13T03:36:55.034Z,0
CVE-2024-42374,https://securityvulnerability.io/vulnerability/CVE-2024-42374,Untrusted XML Document Validation Vulnerability Affects SAP ADS Rendering,"The BEx Web Java Runtime Export Web Service from SAP exhibits inadequate validation of XML documents received from untrusted sources. This vulnerability enables attackers to extract sensitive information from SAP ADS systems. Additionally, it can lead to the exhaustion of the XMLForm service, resulting in the inaccessibility of PDF creation functionalities, ultimately compromising the confidentiality and availability of applications relying on this service.",SAP,SAP Bex Web Java Runtime Export Web Service,8.2,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-08-13T03:34:11.415Z,0
CVE-2024-41730,https://securityvulnerability.io/vulnerability/CVE-2024-41730,"Unauthorized Access via REST Endpoint poses High Risk to Confidentiality, Integrity, and Availability","In SAP BusinessObjects Business Intelligence Platform, a vulnerability exists that allows an unauthorized user to obtain a logon token when Single Sign-On is enabled with Enterprise authentication. This exploit makes it possible for attackers to gain access and potentially compromise the system while impacting essential security aspects such as confidentiality, integrity, and availability. Organizations using vulnerable versions must take immediate action to mitigate risks associated with this security flaw.",SAP,SAP Businessobjects Business Intelligence Platform,9.8,CRITICAL,0.000910000002477318,false,,false,false,false,,,false,false,,2024-08-13T03:31:37.327Z,0
CVE-2024-39598,https://securityvulnerability.io/vulnerability/CVE-2024-39598,SAP CRM Vulnerability: Authenticated Attacker can Enumerate Accessible HTTP Endpoints,"The SAP CRM WebClient UI Framework is susceptible to a vulnerability that allows authenticated attackers to craft specific HTTP requests. By exploiting this flaw, attackers can enumerate the HTTP endpoints available within the internal network. Although this vulnerability does not affect the integrity or availability of the application, it poses a significant risk of information disclosure. Organizations utilizing this product should prioritize mitigating this vulnerability to protect sensitive information from unauthorized access.",SAP,SAP Crm Webclient Ui,7.7,HIGH,0.0004900000058114529,false,,false,false,false,,,false,false,,2024-07-09T04:04:41.283Z,0
CVE-2024-39597,https://securityvulnerability.io/vulnerability/CVE-2024-39597,SAP Commerce Vulnerability: Misuse of Forgotten Password Functionality Can Grant Access to Non-Isolated Sites,"The vulnerability in SAP Commerce allows a user to exploit the forgotten password functionality, enabling them to gain unauthorized access to a Composable Storefront B2B site where early login and registration features are active. This security issue becomes more critical if the site is not configured to operate as an isolated instance. In such cases, attackers may gain access not only to the vulnerable site but also to other non-isolated early login sites, even if registration is disabled on those platforms. Proper configuration and review of user account approval processes are essential in mitigating this vulnerability.",SAP,SAP Commerce,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-09T03:48:11.488Z,0
CVE-2024-34688,https://securityvulnerability.io/vulnerability/CVE-2024-34688,DoS Attacks on Repository Services Can Cause High Availability Impact,"This vulnerability allows for unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java. As a result, attackers can exploit this flaw to execute Denial of Service (DoS) attacks, disrupting application availability for legitimate users. While the integrity and confidentiality of the application remain unaffected, the potential for service disruption raises serious concerns for organizations relying on SAP NetWeaver for their operations.",SAP,SAP Netweaver As Java,7.5,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-06-11T02:02:21.587Z,0
CVE-2024-37177,https://securityvulnerability.io/vulnerability/CVE-2024-37177,SAP Financial Consolidation Vulnerability: Untrusted Data Entry via Web Application,"The vulnerability in SAP Financial Consolidation arises from the application allowing data to be submitted through endpoints exposed over the network. This situation opens up the possibility for an attacker to exploit untrusted sources, potentially altering the application's content. The manipulation of data can lead to severe repercussions regarding the confidentiality and integrity of sensitive financial information, making it crucial for organizations using this software to implement necessary security measures.",SAP,SAP Financial Consolidation,8.1,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-06-11T01:58:36.889Z,0
CVE-2024-33006,https://securityvulnerability.io/vulnerability/CVE-2024-33006,Unauthorized File Upload Vulnerability,"The SAP Security Patch Day May 2024 delivered 14 new Security Notes alongside updates to 3 previously released notes. A critical vulnerability, tracked as CVE-2024-33006, was addressed in the SAP NetWeaver Application Server ABAP and ABAP Platform. This vulnerability allows an unauthenticated attacker to upload a malicious file to the server, potentially leading to a complete system takeover. The exploitation of this vulnerability is a severe risk and organizations using SAP systems are urged to upgrade promptly to mitigate the risk. Additionally, other vulnerabilities were addressed in the security updates, highlighting the importance of timely patching and security vigilance.",SAP,SAP Netweaver Application Server Abap And Abap Platform,9.6,CRITICAL,0.0004299999854993075,false,,true,false,true,2024-05-15T14:10:40.000Z,,false,false,,2024-05-14T04:16:06.647Z,0
CVE-2024-28165,https://securityvulnerability.io/vulnerability/CVE-2024-28165,SAP Business Objects Platform Vulnerable to Stored XSS Attacks,"The SAP Business Objects Business Intelligence Platform is susceptible to a stored cross-site scripting (XSS) vulnerability that permits an attacker to manipulate parameters within the Opendocument URL. This security flaw can lead to severe repercussions on the confidentiality and integrity of the application, potentially allowing unauthorized access or manipulation of sensitive information. Users and organizations utilizing this platform are advised to reference SAP's security updates and implement necessary measures to mitigate the risks associated with this vulnerability.",SAP,SAP Businessobjects Business Intelligence Platform,8.1,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-05-14T03:51:20.267Z,0
CVE-2024-22127,https://securityvulnerability.io/vulnerability/CVE-2024-22127,SAP NetWeaver Administrator AS Java Vulnerability Could Lead to Command Injection,"The vulnerability in SAP NetWeaver Administrator AS Java's Administrator Log Viewer plug-in permits an attacker, who possesses high privileges, to upload potentially harmful files. This exploit leads to a command injection vulnerability, allowing the attacker to execute arbitrary commands within the application. Such unauthorized command execution presents serious risks, potentially compromising the confidentiality, integrity, and availability of the application's data and services. Organizations utilizing affected versions of SAP NetWeaver are urged to apply the necessary patches to mitigate these risks effectively.",SAP,SAP Netweaver As Java (administrator Log Viewer Plug-in),9.1,CRITICAL,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-03-12T01:15:00.000Z,0
CVE-2024-22129,https://securityvulnerability.io/vulnerability/CVE-2024-22129,SAP Companion Vulnerable to XSS Attack,"The vulnerability in SAP Companion, specifically in versions prior to 3.1.38, involves a URL parameter that may be susceptible to cross-site scripting (XSS) attacks. This flaw allows an attacker to craft a malicious link, which, when clicked by a user, could result in unauthorized access to sensitive information. While the primary concern revolves around the potential for information exposure, it can also lead to minor integrity issues within the web application. Users are encouraged to review the affected versions and take appropriate measures to mitigate the risk.",SAP,SAP Companion,7.6,HIGH,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-02-13T03:40:54.670Z,0
CVE-2024-25642,https://securityvulnerability.io/vulnerability/CVE-2024-25642,Attackers Can Impersonate Genuine Servers to Intercept Sensitive Information in SAP Cloud Connector,"The vulnerability identified in SAP Cloud Connector version 2.0 arises from improper validation of certificates, potentially allowing attackers to impersonate legitimate servers. This flaw enables an attacker to break the mutual authentication mechanism, leading to serious security concerns. It grants the attacker the capability to intercept requests, thereby exposing sensitive information to unauthorized access or modification. The system's availability remains unaffected, but the risk of data integrity and confidentiality violations is significant.",SAP,SAP Cloud Connector,7.4,HIGH,0.0006900000153109431,false,,false,false,false,,,false,false,,2024-02-13T02:44:20.284Z,0
CVE-2024-24743,https://securityvulnerability.io/vulnerability/CVE-2024-24743,SAP NetWeaver AS Java Vulnerability Allows Unauthorized Access to Sensitive Data,"An XML parsing vulnerability exists in SAP NetWeaver AS Java (CAF - Guided Procedures) version 7.50. This vulnerability allows an unauthenticated attacker to send specially crafted XML requests over the network, enabling access to sensitive files and information stored within the system. Although the attacker cannot modify the accessed data, this situation raises concerns over data security and privacy. The system does implement expansion limits to ensure that the availability of the application is not compromised.",SAP,SAP Netweaver As Java (guided Procedures),8.6,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2024-02-13T02:43:40.755Z,0
CVE-2024-22131,https://securityvulnerability.io/vulnerability/CVE-2024-22131,Remote Execution Vulnerability Affects SAP ABA Versions 700-752,"A security vulnerability exists in SAP Application Basis (ABA) across multiple versions, where an attacker with remote execution authorization can exploit a susceptible interface. This vulnerability enables the attacker to invoke application functions and perform unauthorized actions, potentially allowing them to read or modify sensitive user and business data. Moreover, certain functions may lead to system unavailability, impacting overall business operations. Organizations running affected versions of SAP ABA should prioritize remediation to protect their data integrity and operational continuity.",SAP,SAP Aba (application Basis),7.2,HIGH,0.0005699999746866524,false,,false,false,false,,,false,false,,2024-02-13T02:30:51.886Z,0
CVE-2024-22126,https://securityvulnerability.io/vulnerability/CVE-2024-22126,SAP NetWeaver AS for Java vulnerable to Cross-Site Scripting (XSS),"The User Admin application of SAP NetWeaver AS for Java version 7.50 contains a vulnerability due to inadequate validation and improper encoding of incoming URL parameters utilized in redirect URLs. This flaw exposes the application to Cross-Site Scripting (XSS) attacks, enabling malicious actors to execute scripts in the context of users' sessions. As a result, this may lead to unauthorized access to sensitive information, compromising user confidentiality while posing a mild threat to the integrity and availability of users' data.",SAP,SAP NetWeaver AS Java (User Admin Application),8.8,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2024-02-13T01:58:27.745Z,0
CVE-2024-21737,https://securityvulnerability.io/vulnerability/CVE-2024-21737,Code Injection vulnerability in SAP Application Interface Framework (File Adapter),"The vulnerability in the SAP Application Interface Framework File Adapter version 702 allows a high privilege user to leverage a specific function module to navigate through multiple application layers, resulting in the execution of operating system commands. This situation grants the user significant control over the application, leading to potential risks regarding the confidentiality, integrity, and availability of the affected systems.",SAP,SAP Application Interface Framework (File Adapter),8.4,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2024-01-09T02:15:00.000Z,0
CVE-2024-22125,https://securityvulnerability.io/vulnerability/CVE-2024-22125,Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge),"The Microsoft Edge browser extension for the SAP GUI connector, version 1.0, is vulnerable under specific conditions, allowing attackers to obtain access to sensitive information that should be restricted. This vulnerability raises significant concerns regarding data confidentiality and may lead to unauthorized exposure of sensitive organizational data. Users and organizations are advised to apply necessary mitigations and ensure their systems are updated to mitigate potential risks.",SAP,Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge),7.4,HIGH,0.0013200000394135714,false,,false,false,false,,,false,false,,2024-01-09T02:15:00.000Z,0
CVE-2024-21735,https://securityvulnerability.io/vulnerability/CVE-2024-21735,Improper Authorization check in SAP LT Replication Server,"The vulnerability in SAP LT Replication Server arises from the failure to enforce proper authorization checks in versions S4CORE 103 through S4CORE 108. This oversight could empower an attacker with elevated privileges to execute unintended actions, potentially compromising key aspects of the system's confidentiality, integrity, and availability. Organizations utilizing these versions are urged to implement immediate security measures to mitigate the risks associated with this vulnerability.",SAP,SAP LT Replication Server,7.2,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2024-01-09T01:15:00.000Z,0
CVE-2023-50424,https://securityvulnerability.io/vulnerability/CVE-2023-50424,Escalation of Privileges in SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go),"The SAP BTP Security Services Integration Library for Golang versions prior to 0.17.0 contain a vulnerability that allows for escalation of privileges. This issue enables unauthenticated attackers to gain arbitrary permissions within the application under certain conditions, potentially leading to unauthorized access and compromise of sensitive functionalities.",SAP,Github.com/SAP/cloud-security-client-go,9.8,CRITICAL,0.0021100000012665987,false,,false,false,false,,,false,false,,2023-12-12T03:15:00.000Z,0
CVE-2023-50422,https://securityvulnerability.io/vulnerability/CVE-2023-50422,Escalation of Privileges in SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library),"The SAP BTP Security Services Integration Library, particularly in versions prior to 2.17.0 and between 3.0.0 and 3.2.9, is susceptible to a privilege escalation issue. This vulnerability enables an unauthenticated attacker to exploit certain conditions within the library, potentially allowing them to gain unauthorized permissions and access. Organizations using affected versions should prioritize their upgrade to mitigate the risk of exploitation.",SAP,Cloud-security-services-integration-library,9.8,CRITICAL,0.003370000049471855,false,,false,false,false,,,false,false,,2023-12-12T02:15:00.000Z,0
CVE-2023-49583,https://securityvulnerability.io/vulnerability/CVE-2023-49583,Escalation of Privileges in SAP BTP Security Services Integration Library ([Node.js] @sap/xssec),"The SAP BTP Security Services Integration Library, specifically versions prior to 3.6.0 of the @sap/xssec package, is vulnerable to privilege escalation. This vulnerability permits an unauthenticated attacker to gain arbitrary permissions within the application under certain conditions. Exploitation could potentially lead to unauthorized access to sensitive functionalities, allowing the attacker to perform actions as if they were a legitimate user.",SAP,@SAP/xssec,9.8,CRITICAL,0.003010000102221966,false,,false,false,false,,,false,false,,2023-12-12T02:15:00.000Z,0