Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-0514 (GCVE-0-2026-0514)
Vulnerability from cvelistv5 – Published: 2026-01-13 01:16 – Updated: 2026-01-13 14:38
VLAI
EPSS
Title
Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
Summary
Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP Business Connector |
Affected:
SAP BC 4.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T14:38:12.759527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T14:38:19.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Connector",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP BC 4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.\u003c/p\u003e"
}
],
"value": "Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:16:03.501Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3666061"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP Business Connector",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0514",
"datePublished": "2026-01-13T01:16:03.501Z",
"dateReserved": "2025-12-09T22:06:52.467Z",
"dateUpdated": "2026-01-13T14:38:19.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-0514",
"date": "2026-06-17",
"epss": "0.00168",
"percentile": "0.0648"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-0514\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2026-01-13T02:15:54.113\",\"lastModified\":\"2026-01-16T16:53:03.113\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:business_connector:4.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99F0C742-7E03-425D-BCFC-F4683843350F\"}]}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3666061\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0514\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-13T14:38:12.759527Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-13T14:38:16.619Z\"}}], \"cna\": {\"title\": \"Cross-Site Scripting (XSS) vulnerability in SAP Business Connector\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP Business Connector\", \"versions\": [{\"status\": \"affected\", \"version\": \"SAP BC 4.8\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/3666061\"}, {\"url\": \"https://url.sap/sapsecuritypatchday\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDue to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2026-01-13T01:16:03.501Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-0514\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-13T14:38:19.675Z\", \"dateReserved\": \"2025-12-09T22:06:52.467Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2026-01-13T01:16:03.501Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0034
Vulnerability from certfr_avis - Published: 2026-01-14 - Updated: 2026-01-14
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité | ||
| SAP | ERP Central Component and S/4HANA | ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP et ABAP Platform | NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | HANA database version HDB 2.00 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Enterprise Portal | NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité | ||
| SAP | S/4HANA | S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Business Server Pages Application | Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | Business Connector | Business Connector version SAP BC 4.8 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de sécurité | ||
| SAP | Supplier Relationship Management | Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Application Server for ABAP and NetWeaver RFCSDK versions KRNL64UC 7.53, NWRFCSDK 7.50, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | S/4HANA Private Cloud and On-Premise | S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Wily Introscope Enterprise Manager | Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Enterprise Portal | NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de sécurité | ||
| SAP | Identity Management | Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de sécurité | ||
| SAP | HANA database | HANA database version HDB 2.00 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Business Connector version SAP BC 4.8 sans le dernier correctif de sécurité | ||
| SAP | Landscape Transformation | Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "ERP Central Component and S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP et ABAP Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "HANA database version HDB 2.00 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Enterprise Portal",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Server Pages Application",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Connector version SAP BC 4.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Connector",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Supplier Relationship Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server for ABAP and NetWeaver RFCSDK versions KRNL64UC 7.53, NWRFCSDK 7.50, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA Private Cloud and On-Premise",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Wily Introscope Enterprise Manager",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Enterprise Portal",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Identity Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "HANA database version HDB 2.00 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "HANA database",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Connector version SAP BC 4.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Landscape Transformation",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-0507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0507"
},
{
"name": "CVE-2026-0506",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0506"
},
{
"name": "CVE-2026-0510",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0510"
},
{
"name": "CVE-2026-0500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0500"
},
{
"name": "CVE-2026-0503",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0503"
},
{
"name": "CVE-2026-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0492"
},
{
"name": "CVE-2026-0498",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0498"
},
{
"name": "CVE-2026-0493",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0493"
},
{
"name": "CVE-2026-0514",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0514"
},
{
"name": "CVE-2026-0501",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0501"
},
{
"name": "CVE-2026-0494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0494"
},
{
"name": "CVE-2026-0497",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0497"
},
{
"name": "CVE-2026-0513",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0513"
},
{
"name": "CVE-2026-0495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0495"
},
{
"name": "CVE-2026-0496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0496"
},
{
"name": "CVE-2026-0491",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0491"
},
{
"name": "CVE-2026-0504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0504"
},
{
"name": "CVE-2026-0499",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0499"
},
{
"name": "CVE-2026-0511",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0511"
}
],
"initial_release_date": "2026-01-14T00:00:00",
"last_revision_date": "2026-01-14T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0034",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 SAP january-2026",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html"
}
]
}
CERTFR-2026-AVI-0034
Vulnerability from certfr_avis - Published: 2026-01-14 - Updated: 2026-01-14
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité | ||
| SAP | ERP Central Component and S/4HANA | ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP et ABAP Platform | NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | HANA database version HDB 2.00 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Enterprise Portal | NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité | ||
| SAP | S/4HANA | S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Business Server Pages Application | Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | Business Connector | Business Connector version SAP BC 4.8 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de sécurité | ||
| SAP | Supplier Relationship Management | Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Application Server for ABAP and NetWeaver RFCSDK versions KRNL64UC 7.53, NWRFCSDK 7.50, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | S/4HANA Private Cloud and On-Premise | S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Wily Introscope Enterprise Manager | Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Enterprise Portal | NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de sécurité | ||
| SAP | Identity Management | Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de sécurité | ||
| SAP | HANA database | HANA database version HDB 2.00 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de sécurité | ||
| SAP | Application Server for ABAP and NetWeaver RFCSDK | Business Connector version SAP BC 4.8 sans le dernier correctif de sécurité | ||
| SAP | Landscape Transformation | Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "ERP Central Component and S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP et ABAP Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "HANA database version HDB 2.00 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Enterprise Portal",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Server Pages Application",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Connector version SAP BC 4.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Connector",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Server Pages Application (Product Designer Web UI) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Supplier Relationship Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server for ABAP and NetWeaver RFCSDK versions KRNL64UC 7.53, NWRFCSDK 7.50, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA Private Cloud and On-Premise (Financials General Ledger) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA Private Cloud and On-Premise",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Private Cloud and On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Wily Introscope Enterprise Manager",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ERP Central Component and S/4HANA (EHS Management) versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NW AS Java UME User Mapping versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Enterprise Portal",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Enterprise Portal version EP-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 700, 701, 702, 713 et 714 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Identity Management versions IDM_CLM_REST_API 8.0 et IDMIC 8.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Identity Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Wily Introscope Enterprise Manager (WorkStation) version WILY_INTRO_ENTERPRISE 10.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "HANA database version HDB 2.00 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "HANA database",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Intercompany Balance Reconciliation) versions UIAPFI70 500, 600, 700, 800, 900, 901, 902 et UIS4H 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Connector version SAP BC 4.8 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Application Server for ABAP and NetWeaver RFCSDK",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Landscape Transformation versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752 et 2020 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Landscape Transformation",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-0507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0507"
},
{
"name": "CVE-2026-0506",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0506"
},
{
"name": "CVE-2026-0510",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0510"
},
{
"name": "CVE-2026-0500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0500"
},
{
"name": "CVE-2026-0503",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0503"
},
{
"name": "CVE-2026-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0492"
},
{
"name": "CVE-2026-0498",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0498"
},
{
"name": "CVE-2026-0493",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0493"
},
{
"name": "CVE-2026-0514",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0514"
},
{
"name": "CVE-2026-0501",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0501"
},
{
"name": "CVE-2026-0494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0494"
},
{
"name": "CVE-2026-0497",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0497"
},
{
"name": "CVE-2026-0513",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0513"
},
{
"name": "CVE-2026-0495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0495"
},
{
"name": "CVE-2026-0496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0496"
},
{
"name": "CVE-2026-0491",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0491"
},
{
"name": "CVE-2026-0504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0504"
},
{
"name": "CVE-2026-0499",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0499"
},
{
"name": "CVE-2026-0511",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0511"
}
],
"initial_release_date": "2026-01-14T00:00:00",
"last_revision_date": "2026-01-14T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0034",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 SAP january-2026",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html"
}
]
}
Title
Уязвимость приложения для автоматизации бизнес-процессов и обработки данных SAP Business Connector (SAP BC), связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки
Description
Уязвимость приложения для автоматизации бизнес-процессов и обработки данных SAP Business Connector (SAP BC) связана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, проводить межсайтовые сценарные атаки
Severity
Vendor
SAP
Software Name
SAP Business Connector (SAP BC)
Software Version
4.8 (SAP Business Connector (SAP BC))
Possible Mitigations
Использование рекомендаций:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html
Reference
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html
CWE
CWE-79
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "SAP",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "4.8 (SAP Business Connector (SAP BC))",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "12.01.2026",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "20.01.2026",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "20.01.2026",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2026-00630",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2026-0514",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SAP Business Connector (SAP BC)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0431\u0438\u0437\u043d\u0435\u0441-\u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0432 \u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 SAP Business Connector (SAP BC), \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b (\u0438\u043b\u0438 \\\u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430\\\u00bb) (CWE-79)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0431\u0438\u0437\u043d\u0435\u0441-\u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0432 \u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 SAP Business Connector (SAP BC) \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u0421\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0410\u0421\u0423 \u0422\u041f, \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0410\u0421\u0423 \u0422\u041f",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-79",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,1)"
}
FKIE_CVE-2026-0514
Vulnerability from fkie_nvd - Published: 2026-01-13 02:15 - Updated: 2026-06-17 10:10
Severity
Summary
Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3666061 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | business_connector | 4.8 |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Connector",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP BC 4.8"
}
]
}
],
"source": "cna@sap.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:business_connector:4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "99F0C742-7E03-425D-BCFC-F4683843350F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability."
},
{
"lang": "es",
"value": "Debido a una vulnerabilidad de cross-site scripting (XSS) en SAP Business Connector, un atacante no autenticado podr\u00eda crear un enlace malicioso. Cuando un usuario desprevenido hace clic en este enlace, el usuario podr\u00eda ser redirigido a un sitio controlado por el atacante. La explotaci\u00f3n exitosa podr\u00eda permitir al atacante acceder o modificar informaci\u00f3n relacionada con el cliente web, lo que afectar\u00eda la confidencialidad y la integridad, sin efecto en la disponibilidad."
}
],
"id": "CVE-2026-0514",
"lastModified": "2026-06-17T10:10:52.657",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-0514",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T14:38:12.759527Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-01-13T02:15:54.113",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3666061"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Secondary"
}
]
}
GHSA-XMMH-WMH6-HP5H
Vulnerability from github – Published: 2026-01-13 03:32 – Updated: 2026-01-13 03:32
VLAI
Details
Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.
Severity
6.1 (Medium)
{
"affected": [],
"aliases": [
"CVE-2026-0514"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T02:15:54Z",
"severity": "MODERATE"
},
"details": "Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.",
"id": "GHSA-xmmh-wmh6-hp5h",
"modified": "2026-01-13T03:32:09Z",
"published": "2026-01-13T03:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0514"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3666061"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
NCSC-2026-0006
Vulnerability from csaf_ncscnl - Published: 2026-01-13 14:42 - Updated: 2026-01-13 14:42Summary
Kwetsbaarheden verholpen in SAP producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: SAP heeft kwetsbaarheden verholpen in SAP S/4HANA (Private Cloud en On-Premise), SAP Wily Introscope Enterprise Manager, SAP Landscape Transformation, SAP HANA, SAP Application Server voor ABAP, SAP NetWeaver, SAP ECC, SAP Fiori App voor Intercompany Balance Reconciliation, SAP NetWeaver Application Server ABAP, SAP Business Connector, SAP Supplier Relationship Management, SAP Identity Management, en SAP User Management Engine.
Interpretaties: De kwetsbaarheden variëren van SQL-injectie en OS-commando-injectie tot privilege-escalatie en Cross-Site Scripting (XSS). Aanvallers kunnen deze kwetsbaarheden misbruiken om ongeautoriseerde toegang te verkrijgen, gegevensintegriteit in gevaar te brengen, of zelfs volledige systeemcompromittering te veroorzaken. De impact op de vertrouwelijkheid, integriteit en beschikbaarheid van de systemen is aanzienlijk, vooral voor producten zoals SAP S/4HANA en SAP HANA, waar aanvallers met admin-rechten schadelijke ABAP-code kunnen injecteren. Andere kwetsbaarheden, zoals onvoldoende autorisatiecontroles in SAP Fiori Apps, kunnen leiden tot privilege-escalatie en ongeautoriseerde toegang tot gevoelige informatie.
Oplossingen: SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-306: Missing Authentication for Critical Function
CWE-326: Inadequate Encryption Strength
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE-862: Missing Authorization
CWE-943: Improper Neutralization of Special Elements in Data Query Logic
An authenticated user can exploit a SQL Injection vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) due to insufficient input validation, affecting the application's confidentiality, integrity, and availability.
9.9 (Critical)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
An unauthenticated attacker can exploit a vulnerability in SAP Wily Introscope Enterprise Manager to execute OS commands remotely via a malicious JNLP file, posing a significant security risk.
9.6 (Critical)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
SAP S/4HANA (Private Cloud and On-Premise) has a critical vulnerability allowing admin-level attackers to inject arbitrary ABAP code or OS commands, bypassing authorization checks.
9.1 (Critical)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
SAP Landscape Transformation contains a critical vulnerability that allows admin-level attackers to inject arbitrary ABAP code or OS commands, bypassing authorization checks.
9.1 (Critical)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
The SAP HANA database contains a privilege escalation vulnerability that enables an authenticated user to switch to another user, potentially gaining administrative access.
8.8 (High)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
An OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK allows authenticated attackers to execute arbitrary OS commands, risking system confidentiality, integrity, and availability.
8.4 (High)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
The SAP Fiori App for Intercompany Balance Reconciliation has critical vulnerabilities, including a lack of essential authorization checks, which may lead to privilege escalation and compromise confidentiality and integrity.
8.1 (High)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
A vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated attackers to exploit an RFC function, potentially compromising data integrity through unauthorized execution of form routines.
8.1 (High)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
A vulnerability in SAP ECC and SAP S/4HANA allows attackers to extract hardcoded credentials and bypass authentication, potentially compromising EHS objects due to a missing authorization check.
6.4 (Medium)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
SAP NetWeaver Enterprise Portal is susceptible to Cross-Site Scripting (XSS), enabling attackers to inject malicious scripts through URL parameters, potentially resulting in session theft and content manipulation.
6.1 (Medium)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
A Cross-Site Scripting (XSS) vulnerability in SAP Business Connector enables unauthenticated attackers to redirect users to malicious sites, jeopardizing the confidentiality and integrity of webclient information.
6.1 (Medium)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
An Open Redirect Vulnerability in SAP Supplier Relationship Management allows unauthenticated attackers to redirect users to malicious sites, posing a low risk to application integrity.
4.7 (Medium)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
The SAP Fiori App Intercompany Balance Reconciliation has a low-risk vulnerability that may allow unauthorized access to restricted information, with no impact on integrity or availability.
4.3 (Medium)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
A CSRF vulnerability in the SAP Fiori App for Intercompany Balance Reconciliation may allow attackers to execute actions on behalf of authenticated users, presenting a low risk to system integrity.
4.3 (Medium)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
The SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information, but lacks an authorization check, posing a low confidentiality risk.
4.3 (Medium)
Affected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
The SAP Identity Management REST interface has a vulnerability due to insufficient input handling, allowing authenticated administrators to execute malicious REST requests, potentially leading to limited data disclosure or modification.
CWE-943 - Improper Neutralization of Special Elements in Data Query LogicAffected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
The User Management Engine in NetWeaver Application Server for Java employs an outdated cryptographic algorithm, allowing potential partial disclosure of sensitive information by high-privileged attackers.
CWE-326 - Inadequate Encryption StrengthAffected products
Known affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP and NetWeaver RFCSDK
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Business Server Pages Application
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / ERP Central Component and S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Fiori App
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA Database
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Identity Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Landscape Transformation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NW AS Java UME User Mapping
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA Private Cloud and On-Premise
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Software
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Wily Introscope Enterprise Manager
|
vers:unknown/* |
References
18 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "SAP heeft kwetsbaarheden verholpen in SAP S/4HANA (Private Cloud en On-Premise), SAP Wily Introscope Enterprise Manager, SAP Landscape Transformation, SAP HANA, SAP Application Server voor ABAP, SAP NetWeaver, SAP ECC, SAP Fiori App voor Intercompany Balance Reconciliation, SAP NetWeaver Application Server ABAP, SAP Business Connector, SAP Supplier Relationship Management, SAP Identity Management, en SAP User Management Engine.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden vari\u00ebren van SQL-injectie en OS-commando-injectie tot privilege-escalatie en Cross-Site Scripting (XSS). Aanvallers kunnen deze kwetsbaarheden misbruiken om ongeautoriseerde toegang te verkrijgen, gegevensintegriteit in gevaar te brengen, of zelfs volledige systeemcompromittering te veroorzaken. De impact op de vertrouwelijkheid, integriteit en beschikbaarheid van de systemen is aanzienlijk, vooral voor producten zoals SAP S/4HANA en SAP HANA, waar aanvallers met admin-rechten schadelijke ABAP-code kunnen injecteren. Andere kwetsbaarheden, zoals onvoldoende autorisatiecontroles in SAP Fiori Apps, kunnen leiden tot privilege-escalatie en ongeautoriseerde toegang tot gevoelige informatie.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Inadequate Encryption Strength",
"title": "CWE-326"
},
{
"category": "general",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"title": "CWE-497"
},
{
"category": "general",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements in Data Query Logic",
"title": "CWE-943"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html"
}
],
"title": "Kwetsbaarheden verholpen in SAP producten",
"tracking": {
"current_release_date": "2026-01-13T14:42:24.621603Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0006",
"initial_release_date": "2026-01-13T14:42:24.621603Z",
"revision_history": [
{
"date": "2026-01-13T14:42:24.621603Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Application Server for ABAP and NetWeaver RFCSDK"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Business Server Pages Application"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "ERP Central Component and S4HANA"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Fiori App"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "HANA Database"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "Identity Management"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "Landscape Transformation"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "NW AS Java UME User Mapping"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "NetWeaver Application Server ABAP and ABAP Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "NetWeaver Enterprise Portal"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "S4HANA"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-12"
}
}
],
"category": "product_name",
"name": "S4HANA Private Cloud and On-Premise"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-13"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Application Server ABAP and ABAP Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-14"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Enterprise Portal"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-15"
}
}
],
"category": "product_name",
"name": "SAP Software"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-16"
}
}
],
"category": "product_name",
"name": "Supplier Relationship Management"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-17"
}
}
],
"category": "product_name",
"name": "Wily Introscope Enterprise Manager"
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-0501",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
},
{
"category": "description",
"text": "An authenticated user can exploit a SQL Injection vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) due to insufficient input validation, affecting the application\u0027s confidentiality, integrity, and availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0501 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0501.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0501"
},
{
"cve": "CVE-2026-0500",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "description",
"text": "An unauthenticated attacker can exploit a vulnerability in SAP Wily Introscope Enterprise Manager to execute OS commands remotely via a malicious JNLP file, posing a significant security risk.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0500 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0500.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0500"
},
{
"cve": "CVE-2026-0498",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "description",
"text": "SAP S/4HANA (Private Cloud and On-Premise) has a critical vulnerability allowing admin-level attackers to inject arbitrary ABAP code or OS commands, bypassing authorization checks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0498 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0498.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0498"
},
{
"cve": "CVE-2026-0491",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "description",
"text": "SAP Landscape Transformation contains a critical vulnerability that allows admin-level attackers to inject arbitrary ABAP code or OS commands, bypassing authorization checks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0491 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0491.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0491"
},
{
"cve": "CVE-2026-0492",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "description",
"text": "The SAP HANA database contains a privilege escalation vulnerability that enables an authenticated user to switch to another user, potentially gaining administrative access.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0492 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0492.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0492"
},
{
"cve": "CVE-2026-0507",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "An OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK allows authenticated attackers to execute arbitrary OS commands, risking system confidentiality, integrity, and availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0507 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0507.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0507"
},
{
"cve": "CVE-2026-0511",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "The SAP Fiori App for Intercompany Balance Reconciliation has critical vulnerabilities, including a lack of essential authorization checks, which may lead to privilege escalation and compromise confidentiality and integrity.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0511 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0511.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0511"
},
{
"cve": "CVE-2026-0506",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "A vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated attackers to exploit an RFC function, potentially compromising data integrity through unauthorized execution of form routines.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0506 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0506.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0506"
},
{
"cve": "CVE-2026-0503",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "A vulnerability in SAP ECC and SAP S/4HANA allows attackers to extract hardcoded credentials and bypass authentication, potentially compromising EHS objects due to a missing authorization check.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0503 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0503.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0503"
},
{
"cve": "CVE-2026-0499",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "SAP NetWeaver Enterprise Portal is susceptible to Cross-Site Scripting (XSS), enabling attackers to inject malicious scripts through URL parameters, potentially resulting in session theft and content manipulation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0499 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0499.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0499"
},
{
"cve": "CVE-2026-0514",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "A Cross-Site Scripting (XSS) vulnerability in SAP Business Connector enables unauthenticated attackers to redirect users to malicious sites, jeopardizing the confidentiality and integrity of webclient information.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0514 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0514.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0514"
},
{
"cve": "CVE-2026-0513",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "description",
"text": "An Open Redirect Vulnerability in SAP Supplier Relationship Management allows unauthenticated attackers to redirect users to malicious sites, posing a low risk to application integrity.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0513 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0513.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0513"
},
{
"cve": "CVE-2026-0494",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"title": "CWE-497"
},
{
"category": "description",
"text": "The SAP Fiori App Intercompany Balance Reconciliation has a low-risk vulnerability that may allow unauthorized access to restricted information, with no impact on integrity or availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0494 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0494.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0494"
},
{
"cve": "CVE-2026-0493",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "other",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "description",
"text": "A CSRF vulnerability in the SAP Fiori App for Intercompany Balance Reconciliation may allow attackers to execute actions on behalf of authenticated users, presenting a low risk to system integrity.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0493 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0493.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0493"
},
{
"cve": "CVE-2026-0497",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "The SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information, but lacks an authorization check, posing a low confidentiality risk.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0497 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0497.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0497"
},
{
"cve": "CVE-2026-0504",
"cwe": {
"id": "CWE-943",
"name": "Improper Neutralization of Special Elements in Data Query Logic"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements in Data Query Logic",
"title": "CWE-943"
},
{
"category": "description",
"text": "The SAP Identity Management REST interface has a vulnerability due to insufficient input handling, allowing authenticated administrators to execute malicious REST requests, potentially leading to limited data disclosure or modification.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0504 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0504.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0504"
},
{
"cve": "CVE-2026-0510",
"cwe": {
"id": "CWE-326",
"name": "Inadequate Encryption Strength"
},
"notes": [
{
"category": "other",
"text": "Inadequate Encryption Strength",
"title": "CWE-326"
},
{
"category": "description",
"text": "The User Management Engine in NetWeaver Application Server for Java employs an outdated cryptographic algorithm, allowing potential partial disclosure of sensitive information by high-privileged attackers.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0510 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0510.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.0,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-0510"
}
]
}
WID-SEC-W-2026-0077
Vulnerability from csaf_certbund - Published: 2026-01-12 23:00 - Updated: 2026-01-13 23:00Summary
SAP Patchday Januar 2026: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.
Angriff: Ein Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder andere, nicht näher spezifizierte Angriffe durchzuführen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder andere, nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0077 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0077.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0077 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0077"
},
{
"category": "external",
"summary": "SAP Patchday Januar 2026 vom 2026-01-12",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html"
}
],
"source_lang": "en-US",
"title": "SAP Patchday Januar 2026: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-01-13T23:00:00.000+00:00",
"generator": {
"date": "2026-01-14T06:51:21.462+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0077",
"initial_release_date": "2026-01-12T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-12T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-01-13T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2026-2383, EUVD-2026-2381, EUVD-2026-2384, EUVD-2026-2380, EUVD-2026-2385, EUVD-2026-2389, EUVD-2026-2388, EUVD-2026-2391, EUVD-2026-2390, EUVD-2026-2393, EUVD-2026-2392, EUVD-2026-2386, EUVD-2026-2387, EUVD-2026-2375, EUVD-2026-2378, EUVD-2026-2377, EUVD-2026-2376, EUVD-2026-2379, EUVD-2026-2373"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "SAP Software",
"product": {
"name": "SAP Software",
"product_id": "T049869",
"product_identification_helper": {
"cpe": "cpe:/a:sap:sap:-"
}
}
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-0491",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0491"
},
{
"cve": "CVE-2026-0492",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0492"
},
{
"cve": "CVE-2026-0493",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0493"
},
{
"cve": "CVE-2026-0494",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0494"
},
{
"cve": "CVE-2026-0495",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0495"
},
{
"cve": "CVE-2026-0496",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0496"
},
{
"cve": "CVE-2026-0497",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0497"
},
{
"cve": "CVE-2026-0498",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0498"
},
{
"cve": "CVE-2026-0499",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0499"
},
{
"cve": "CVE-2026-0500",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0500"
},
{
"cve": "CVE-2026-0501",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0501"
},
{
"cve": "CVE-2026-0503",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0503"
},
{
"cve": "CVE-2026-0504",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0504"
},
{
"cve": "CVE-2026-0506",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0506"
},
{
"cve": "CVE-2026-0507",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0507"
},
{
"cve": "CVE-2026-0510",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0510"
},
{
"cve": "CVE-2026-0511",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0511"
},
{
"cve": "CVE-2026-0513",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0513"
},
{
"cve": "CVE-2026-0514",
"product_status": {
"known_affected": [
"T049869"
]
},
"release_date": "2026-01-12T23:00:00.000+00:00",
"title": "CVE-2026-0514"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…