Vulnerabilidades en SAP SE
778 resultadosAnálisis Vexday
Com 778 CVEs catalogadas, o portfólio da SAP SE apresenta uma taxa de exploração ativa 1,7 vez acima da média geral do catálogo CISA KEV, indicando que vulnerabilidades nessa plataforma atraem atenção proporcional de agentes de ameaça. O tipo de falha mais recorrente é CWE-119 (erros de manipulação de memória), um vetor historicamente associado a impacto elevado de execução de código. A CVE mais crítica em exploração ativa, CVE-2020-6287, — neste caso CVE-2020-6207 — registra EPSS de 0,9838, sinalizando probabilidade muito alta de exploração observada na prática e justificando priorização imediata de remediação. Além disso, 18 vulnerabilidades possuem PoC pública e 46 são de severidade crítica, ampliando a superfície de risco para organizações que ainda não aplicaram os patches correspondentes.
CVE-2019-0375—SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encEPSS 0.7%CVE-2022-29611—SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resultiEPSS 0.7%CVE-2021-33671HIGHSAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorizEPSS 0.7%CVE-2021-21471MEDIUMIn CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intenEPSS 0.7%CVE-2019-0388—SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate EPSS 0.7%CVE-2020-6178MEDIUMSAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, lEPSS 0.7%CVE-2021-38183—SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential EPSS 0.7%CVE-2020-6307MEDIUMAutomated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficEPSS 0.7%CVE-2019-0370—Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to intEPSS 0.7%CVE-2020-6313MEDIUMSAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which EPSS 0.7%CVE-2019-0267—SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokEPSS 0.7%CVE-2022-41259MEDIUMSAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server EPSS 0.7%CVE-2021-27584MEDIUMWhen a user opens manipulated PhotoShop Document (.PSD) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer versEPSS 0.7%CVE-2019-0278—Under certain conditions the Monitoring Servlet of the SAP NetWeaver Process Integration (Messaging System), fixed in versions 7.10 to 7.11,EPSS 0.7%CVE-2021-27596MEDIUMWhen a user opens manipulated Autodesk 3D Studio for MS-DOS (.3DS) files received from untrusted sources in SAP 3D Visual Enterprise Viewer,EPSS 0.7%CVE-2022-31595—SAP Financial Consolidation - version 1010,�does not perform necessary authorization checks for an authenticated user, resulting in escalatiEPSS 0.7%CVE-2018-2389—Under certain conditions a malicious user can inject log files of SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, hidinEPSS 0.7%CVE-2020-6193MEDIUMSAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious sEPSS 0.7%CVE-2020-6301MEDIUMSAP ERP (HCM Travel Management), versions - 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to reaEPSS 0.7%CVE-2019-0390—Under certain conditions SAP Data Hub (corrected in DH_Foundation version 2) allows an attacker to access information which would otherwise EPSS 0.7%