CVSS: 7.7EPSS: 0%CPEs: 14EXPL: 0CVE-2025-42952 – Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
https://notcve.org/view.php?id=CVE-2025-42952
08 Jul 2025 — SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render the system unusable by triggering short dumps on login. This could cause a high impact on availability. Data confidentiality and integrity are not affected. No data can be read, changed or deleted. • https://me.sap.com/notes/3623255 • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 14EXPL: 0CVE-2025-42983 – Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
https://notcve.org/view.php?id=CVE-2025-42983
10 Jun 2025 — SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to drop arbitrary SAP database tables, potentially resulting in a loss of data or rendering the system unusable. On successful exploitation, an attacker can completely delete database entries but is not able to read any data. • https://me.sap.com/notes/3606484 • CWE-862: Missing Authorization •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2025-43011 – Missing Authorization Check in SAP Landscape Transformation (PCL Basis)
https://notcve.org/view.php?id=CVE-2025-43011
13 May 2025 — Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data. This can lead to a high impact on confidentiality with no impact on the integrity or availability of the application. • https://me.sap.com/notes/3591978 • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34689 – [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)
https://notcve.org/view.php?id=CVE-2024-34689
09 Jul 2024 — WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application. WebFlow Services de SAP Business Workflow permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboración especial de solicitudes HTTP. Si se explota con... • https://me.sap.com/notes/3458789 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.1EPSS: 4%CPEs: 10EXPL: 0CVE-2024-22131 – Code Injection vulnerability in SAP ABA (Application Basis)
https://notcve.org/view.php?id=CVE-2024-22131
13 Feb 2024 — In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable. En SAP ABA (Application Bas... • https://me.sap.com/notes/3420923 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2023-29110 – Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
https://notcve.org/view.php?id=CVE-2023-29110
11 Apr 2023 — The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3113349 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-29109 – Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
https://notcve.org/view.php?id=CVE-2023-29109
11 Apr 2023 — The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3115598 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 9.0EPSS: 0%CPEs: 13EXPL: 0CVE-2022-41264
https://notcve.org/view.php?id=CVE-2022-41264
13 Dec 2022 — Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application. Debido al alcance ilimitado del módulo de función... • https://launchpad.support.sap.com/#/notes/3268172 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2020-6307
https://notcve.org/view.php?id=CVE-2020-6307
14 Jan 2020 — Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information. Automated Note Search Tool (actualización proporcionada en SAP Basis versiones 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 y 7.54), no realiza suficientes comprobaciones de autorización conllevando a la lectura de información confidencial. • https://launchpad.support.sap.com/#/notes/2863397 • CWE-863: Incorrect Authorization •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2019-0248
https://notcve.org/view.php?id=CVE-2019-0248
08 Jan 2019 — Under certain conditions SAP Gateway of ABAP Application Server (fixed in SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5) allows an attacker to access information which would otherwise be restricted. Bajo ciertas condiciones, SAP Gateway of ABAP Application Server (solucionado en SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5) permite que un atacante acceda a información que normalmente estaría restringida. • http://www.securityfocus.com/bid/106471 •