Vulnerabilities in SAP SE
778 resultsVexday analysis
Com 778 CVEs catalogadas, o portfólio da SAP SE apresenta uma taxa de exploração ativa 1,7 vez acima da média geral do catálogo CISA KEV, indicando que vulnerabilidades nessa plataforma atraem atenção proporcional de agentes de ameaça. O tipo de falha mais recorrente é CWE-119 (erros de manipulação de memória), um vetor historicamente associado a impacto elevado de execução de código. A CVE mais crítica em exploração ativa, CVE-2020-6287, — neste caso CVE-2020-6207 — registra EPSS de 0,9838, sinalizando probabilidade muito alta de exploração observada na prática e justificando priorização imediata de remediação. Além disso, 18 vulnerabilidades possuem PoC pública e 46 são de severidade crítica, ampliando a superfície de risco para organizações que ainda não aplicaram os patches correspondentes.
CVE-2020-6177MEDIUMSAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partiEPSS 0.8%CVE-2020-6242CRITICALSAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on thEPSS 0.8%CVE-2019-0337—Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-contEPSS 0.8%CVE-2021-33680MEDIUMSAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated CGM file received from untrusted sources which causes bufferEPSS 0.8%CVE-2022-31593—SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by the application. An atEPSS 0.8%CVE-2020-6232MEDIUMSAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization CheckEPSS 0.8%CVE-2021-40497—SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read senEPSS 0.8%CVE-2021-27619MEDIUMSAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are nEPSS 0.8%CVE-2022-22534—Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data lEPSS 0.8%CVE-2022-41175—Due to lack of proper memory management, when a victim opens a manipulated Enhanced Metafile (.emf, emf.x3d) file received from untrusted soEPSS 0.8%CVE-2022-22535—SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necessary authorization checks for a report that reads the payroll data of eEPSS 0.8%CVE-2020-6367HIGHThere is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40,EPSS 0.8%CVE-2021-21476MEDIUMSAP UI5 versions before 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1 allows an unauthenticated attacker to redirect uEPSS 0.8%CVE-2021-21444MEDIUMSAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which mEPSS 0.8%CVE-2020-26835MEDIUMSAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input maliciouEPSS 0.8%CVE-2021-33673HIGHUnder certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them. This alEPSS 0.8%CVE-2021-27599MEDIUMSAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, EPSS 0.8%CVE-2019-0332—SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword EPSS 0.8%CVE-2022-22545—A high privileged user who has access to transaction SM59 can read connection details stored with the destination for http calls in SAP NetWEPSS 0.8%CVE-2019-0335—Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an EPSS 0.8%