← Back

Sap

sap

1,576 CVEs • 429 products

Products (429)

Click to collapse
Toggle
3d Visual Enterprise Viewer
3d_visual_enterprise_viewer
131 CVEs
Netweaver
netweaver
102 CVEs
Netweaver Application Server Abap
netweaver_application_server_abap
86 CVEs
Businessobjects Business Intelligence Platform
businessobjects_business_intelligence_platform
73 CVEs
Netweaver Application Server Java
netweaver_application_server_java
69 CVEs
Businessobjects Business Intelligence
businessobjects_business_intelligence
45 CVEs
Hana
hana
38 CVEs
Solution Manager
solution_manager
33 CVEs
Business One
business_one
31 CVEs
Internet Graphics Server
internet_graphics_server
28 CVEs
3d Visual Enterprise Author
3d_visual_enterprise_author
27 CVEs
Businessobjects
businessobjects
23 CVEs
Netweaver Abap
netweaver_abap
21 CVEs
Netweaver Process Integration
netweaver_process_integration
21 CVEs
Netweaver Enterprise Portal
netweaver_enterprise_portal
20 CVEs
Hana Extended Application Services
hana_extended_application_services
18 CVEs
Sap Basis
sap_basis
18 CVEs
Commerce Cloud
commerce_cloud
18 CVEs
Business Objects Business Intelligence Platform
business_objects_business_intelligence_platform
18 CVEs
S/4hana
s/4hana
17 CVEs
Disclosure Management
disclosure_management
16 CVEs
Host Agent
host_agent
15 CVEs
Adaptive Server Enterprise
adaptive_server_enterprise
14 CVEs
Enable Now
enable_now
14 CVEs
S4core
s4core
13 CVEs
Sap Db
sap_db
12 CVEs
Customer Relationship Management Webclient Ui
customer_relationship_management_webclient_ui
12 CVEs
Netweaver As Abap
netweaver_as_abap
12 CVEs
Abap Platform
abap_platform
12 CVEs
Sap Web Application Server
sap_web_application_server
11 CVEs
Sap Kernel
sap_kernel
11 CVEs
Supplier Relationship Management
supplier_relationship_management
11 CVEs
Web Dispatcher
web_dispatcher
11 CVEs
Customer Relationship Management
customer_relationship_management
10 CVEs
Netweaver As Abap Business Server Pages
netweaver_as_abap_business_server_pages
10 CVEs
Commerce
commerce
10 CVEs
Internet Transaction Server
internet_transaction_server
9 CVEs
Netweaver Application Server For Java
netweaver_application_server_for_java
9 CVEs
Rfc Library
rfc_library
8 CVEs
Maxdb
maxdb
8 CVEs
Sql Anywhere
sql_anywhere
8 CVEs
Mobile Platform
mobile_platform
8 CVEs
Trex
trex
8 CVEs
Hybris
hybris
8 CVEs
Hana Database
hana_database
8 CVEs
Cloud Connector
cloud_connector
8 CVEs
Landscape Management
landscape_management
8 CVEs
Business Connector
business_connector
7 CVEs
Crystal Reports
crystal_reports
7 CVEs
Afaria
afaria
7 CVEs
Sapscore
sapscore
7 CVEs
S/4 Hana
s/4_hana
7 CVEs
Business Warehouse
business_warehouse
7 CVEs
Netweaver As Internet Graphics Server
netweaver_as_internet_graphics_server
7 CVEs
Sapgui
sapgui
6 CVEs
Erp
erp
6 CVEs
Businessobjects Edge
businessobjects_edge
6 CVEs
Content Server
content_server
6 CVEs
Business Application Software Integrated Solution
business_application_software_integrated_solution
6 CVEs
Business Planning And Consolidation
business_planning_and_consolidation
6 CVEs
Basis
basis
6 CVEs
Fiori Client
fiori_client
6 CVEs
Financial Consolidation
financial_consolidation
6 CVEs
Netweaver Knowledge Management
netweaver_knowledge_management
6 CVEs
Customer Relationship Management S4fnd
customer_relationship_management_s4fnd
6 CVEs
Sap R 3
sap_r_3
5 CVEs
Crystal Reports Server
crystal_reports_server
5 CVEs
Netweaver Java Application Server
netweaver_java_application_server
5 CVEs
Gui For Windows
gui_for_windows
5 CVEs
S4fnd
s4fnd
5 CVEs
Bw/4hana
bw/4hana
5 CVEs
Advanced Business Application Programming Platform Kernel
advanced_business_application_programming_platform_kernel
5 CVEs
Businessobjects Web Intelligence
businessobjects_web_intelligence
5 CVEs
Netweaver As Abap Krnl64uc
netweaver_as_abap_krnl64uc
5 CVEs
Powerdesigner
powerdesigner
5 CVEs
Enjoysap
enjoysap
4 CVEs
Saplpd
saplpd
4 CVEs
Netweaver Development Infrastructure
netweaver_development_infrastructure
4 CVEs
J2ee Engine
j2ee_engine
4 CVEs
Enterprise Portal
enterprise_portal
4 CVEs
Netweaver Abap Application Server
netweaver_abap_application_server
4 CVEs
Commoncryptolib
commoncryptolib
4 CVEs
Business Client
business_client
4 CVEs
Identity Management
identity_management
4 CVEs
Ui
ui
4 CVEs
Businessobjects Bi Platform
businessobjects_bi_platform
4 CVEs
Fiori
fiori
4 CVEs
Advanced Business Application Programming Platform Krnl64nuc
advanced_business_application_programming_platform_krnl64nuc
4 CVEs
Advanced Business Application Programming Platform Krnl64uc
advanced_business_application_programming_platform_krnl64uc
4 CVEs
Diagnostics Agent
diagnostics_agent
4 CVEs
Fiori Launchpad
fiori_launchpad
4 CVEs
Focused Run
focused_run
4 CVEs
Contact Center
contact_center
4 CVEs
Netweaver As Abap Kernel
netweaver_as_abap_kernel
4 CVEs
Netweaver As Abap Krnl64nuc
netweaver_as_abap_krnl64nuc
4 CVEs
Application Interface Framework
application_interface_framework
4 CVEs
Sapsprint
sapsprint
3 CVEs
Graphical User Interface
graphical_user_interface
3 CVEs
Erp Central Component
erp_central_component
3 CVEs
Network Interface Router
network_interface_router
3 CVEs

CVEs (1,576)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2017-16683
1Sap
1Businessobjects
May 13, 2026
Dec 12, 2017
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service.
CVE-2017-16682
1Sap
2Business Application Software Integrated Solution
Netweaver Internet Transaction Server
May 13, 2026
Dec 12, 2017
N/A· v4
7.2 HIGH· v3
6.5 MEDIUM· v2
SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application...Show more
SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application.Show less
CVE-2017-16681
1Sap
1Business Intelligence Promotion Management Application
May 13, 2026
Dec 12, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, 4.30, as user controlled inputs are not sufficiently encoded.
CVE-2017-16680
1Sap
1Hana Extended Application Services
May 13, 2026
Dec 12, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged atta...Show more
Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines. Hence the interpretation of audit log files could be hindered or misdirected. 2) User Account and Authentication writes audit logs into syslog and additionally writes the same audit entries into a log file. Entries in the log file miss escaping. Hence the interpretation of audit log files could be hindered or misdirected, while the entries in syslog are correct.Show less
CVE-2017-16679
1Sap
1Sap Kernel
May 13, 2026
Dec 12, 2017
N/A· v4
6.1 MEDIUM· v3
5.8 MEDIUM· v2
URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that...Show more
URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site.Show less
CVE-2017-16678
1Sap
4Epbc
Epbc2Kmc Bc+1 more
May 13, 2026
Dec 12, 2017
N/A· v4
4.7 MEDIUM· v3
6.5 MEDIUM· v2
Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the...Show more
Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application.Show less
CVE-2017-14516
1Sap
1Businessobjects Financial Consolidation
May 13, 2026
Dec 3, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Consolidation before 2017-06-13, aka SAP Security Note 2422292.
CVE-2017-15297
1Sap
1Host Agent
May 13, 2026
Oct 16, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993.
CVE-2017-15296
1Sap
1Customer Relationship Management
May 13, 2026
Oct 16, 2017
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964.
CVE-2017-15295
1Sap
1Point Of Sale Xpress Server
May 13, 2026
Oct 16, 2017
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064.
CVE-2017-15294
1Sap
1Customer Relationship Management
May 13, 2026
Oct 16, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964.
CVE-2017-15293
1Sap
1Point Of Sale Xpress Server
May 13, 2026
Oct 16, 2017
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.
CVE-2017-10701
1Sap
1Enterprise Portal
May 13, 2026
Sep 29, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516.
CVE-2017-14581
1Sap
1Netweaver Application Server Java
May 13, 2026
Sep 19, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181.
CVE-2017-14511
1Sap
1E Recruiting
May 13, 2026
Sep 17, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through 617. When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email ad...Show more
An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through 617. When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers can register and confirm email addresses that they do not have access to (candidate_hrobject is predictable and corr_act_guid is improperly validated). Furthermore, since an email address can be registered only once, an attacker could prevent other legitimate users from registering. This is SAP Security Note 2507798.Show less
CVE-2015-7241
1Sap
1Netweaver
May 13, 2026
Sep 6, 2017
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
CVE-2014-8871
1Sap
1Hybris
May 13, 2026
Aug 28, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5.3.0.1 and earlier.
CVE-2017-12637
1Sap
1Netweaver Application Server Java
Apr 22, 2026
Aug 7, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string...Show more
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.Show less
CVE-2017-11460
1Sap
1Netweaver Portal
May 13, 2026
Jul 25, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp...Show more
Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535.Show less
CVE-2017-11459
1Sap
1Trex
May 13, 2026
Jul 25, 2017
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592.