Sap: Security Vulnerabilities
Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to inject arbitrary web script or HTML via the ServiceClass field to the Edit Service Parameters page.
CVSS Score
4.3
EPSS Score
0.002
Published
2010-10-18
SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigger TCP connections to arbitrary intranet hosts on any port, and obtain potentially sensitive information about open ports, via the apstoken parameter to the CrystalReports/viewrpt.cwr URI, related to an "internal port scanning" issue.
CVSS Score
5.0
EPSS Score
0.003
Published
2010-10-18
CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property.
CVSS Score
9.0
EPSS Score
0.005
Published
2010-10-18
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
CVSS Score
10.0
EPSS Score
0.934
Published
2010-10-18
Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business One 2005 A 6.80.123 and 6.80.320 allows remote attackers to execute arbitrary code via a long GIOP request to TCP port 30000.
CVSS Score
10.0
EPSS Score
0.797
Published
2010-08-25
Integer overflow in the OBGIOPServerWorker::extractHeader function in the ebus-3-3-2-6.dll module in SAP Crystal Reports 2008 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GIOP packet with a crafted size, which triggers a heap-based buffer overflow.
CVSS Score
10.0
EPSS Score
0.256
Published
2010-08-17
Multiple cross-site scripting (XSS) vulnerabilities in the System Landscape Directory (SLD) component 6.4 through 7.02 in SAP NetWeaver allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter to testsdic and the (2) helpstring parameter to paramhelp.jsp.
CVSS Score
4.3
EPSS Score
0.005
Published
2010-07-28
The Telnet interface in the SAP J2EE Engine Core (SAP-JEECOR) 6.40 through 7.02, and Server Core (SERVERCORE) 7.10 through 7.30 allows remote authenticated users to bypass a security check and conduct SMB relay attacks via unspecified vectors.
CVSS Score
4.9
EPSS Score
0.003
Published
2010-06-21
Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information.
CVSS Score
4.3
EPSS Score
0.269
Published
2010-05-27
Cross-site scripting (XSS) vulnerability in SAP NetWeaver 2004 before SP21 and 2004s before SP13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.003
Published
2010-04-29