Sap: Security Vulnerabilities
SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to.
CVSS Score
5.4
EPSS Score
0.001
Published
2021-09-14
Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability through phishing and to execute arbitrary code on the victim's browser.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-09-14
The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-14
SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. A successful attack allows access to high level sensitive data
CVSS Score
6.5
EPSS Score
0.003
Published
2021-09-14
Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-09-14
SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.
CVSS Score
4.3
EPSS Score
0.003
Published
2021-09-14
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content.
CVSS Score
4.8
EPSS Score
0.002
Published
2021-09-14
Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability.
CVSS Score
9.6
EPSS Score
0.003
Published
2021-09-14
Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them. This allows an attacker to exploit a Stored Cross-Site Scripting (XSS) vulnerability when a user browses through the employee directory and to execute arbitrary code on the victim's browser. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands.
CVSS Score
8.3
EPSS Score
0.003
Published
2021-09-14
Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability when creating a new email and to execute arbitrary code on the victim's browser.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-09-14