The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-0543 | An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka Microsoft Windows Elevation of Privilege Vulnerability. This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | Medium | Jan 14, 2019 |
| CVE-2019-0542 | A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka Xterm Remote Code Execution Vulnerability. This affects xterm.js. | HIGH | Jan 11, 2019 |
| CVE-2019-0541 | A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka MSHTML Engine Remote Code Execution Vulnerability. This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus. | High | Jan 14, 2019 |
| CVE-2019-0540 | A security feature bypass vulnerability exists when Microsoft Office does not validate URLs.An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials, aka \'Microsoft Office Security Feature Bypass Vulnerability\'. | MEDIUM | Mar 22, 2019 |
| CVE-2019-0539 | A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka Chakra Scripting Engine Memory Corruption Vulnerability. This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0567, CVE-2019-0568. | High | Jan 14, 2019 |
| CVE-2019-0538 | A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka Jet Database Engine Remote Code Execution Vulnerability. This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. | High | Jan 14, 2019 |
| CVE-2019-0537 | An information disclosure vulnerability exists when Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file, aka Microsoft Visual Studio Information Disclosure Vulnerability. This affects Microsoft Visual Studio. | Medium | Jan 14, 2019 |
| CVE-2019-0536 | An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka Windows Kernel Information Disclosure Vulnerability. This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0549, CVE-2019-0554, CVE-2019-0569. | Low | Jan 14, 2019 |
| CVE-2019-0405 | SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure. | MEDIUM | Dec 11, 2019 |
| CVE-2019-0404 | SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure. | MEDIUM | Dec 11, 2019 |
| CVE-2019-0403 | SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | HIGH | Dec 11, 2019 |
| CVE-2019-0402 | SAP Adaptive Server Enterprise, before versions 15.7 and 16.0, under certain conditions exposes some sensitive information to the admin, leading to Information Disclosure. | LOW | Dec 13, 2019 |
| CVE-2019-0399 | SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects in Project dashboard, leading to Information Disclosure. | MEDIUM | Dec 11, 2019 |
| CVE-2019-0398 | Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery. | MEDIUM | Dec 11, 2019 |
| CVE-2019-0396 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), corrected in versions 4.1 and 4.2, does not sufficiently validate an XML document accepted from an untrusted source. An attacker can craft a message that contains malicious elements that will not be correctly filtered by Web Intelligence HTML interface in some specific workflows. | MEDIUM | Nov 14, 2019 |
| CVE-2019-0395 | SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability. | LOW | Dec 11, 2019 |
| CVE-2019-0393 | An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry out targeted database queries that can read individual fields of historical inspection results. | MEDIUM | Nov 14, 2019 |
| CVE-2019-0391 | Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | MEDIUM | Nov 14, 2019 |
| CVE-2019-0390 | Under certain conditions SAP Data Hub (corrected in DH_Foundation version 2) allows an attacker to access information which would otherwise be restricted. Connection details that are maintained in Connection Manager are visible to users. | MEDIUM | Nov 14, 2019 |
| CVE-2019-0389 | An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise. | MEDIUM | Nov 14, 2019 |
| CVE-2019-0388 | SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation. | MEDIUM | Nov 14, 2019 |
| CVE-2019-0386 | Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18) and S4HANA Sales (corrected in S4CORE 1.0, 1.01, 1.02, 1.03, 1.04) does not execute the required authorization checks for an authenticated user, which can result in an escalation of privileges. | MEDIUM | Nov 14, 2019 |
| CVE-2019-0385 | SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | LOW | Nov 14, 2019 |
| CVE-2019-0384 | Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for functionalities that require user identity. | MEDIUM | Dec 20, 2019 |
| CVE-2019-0383 | Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | MEDIUM | Dec 20, 2019 |
| CVE-2019-0382 | A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Privileges are required in order to exploit this vulnerability. | LOW | Nov 14, 2019 |
| CVE-2019-0381 | A binary planting in SAP SQL Anywhere, before version 17.0, SAP IQ, before version 16.1, and SAP Dynamic Tier, before versions 1.0 and 2.0, can result in the inadvertent access of files located in directories outside of the paths specified by the user. | LOW | Oct 15, 2019 |
| CVE-2019-0380 | Under certain conditions, SAP Landscape Management enterprise edition, before version 3.0, allows custom secure parameters’ default values to be part of the application logs leading to Information Disclosure. | MEDIUM | Oct 10, 2019 |
| CVE-2019-0379 | SAP Process Integration, business-to-business add-on, versions 1.0, 2.0, does not perform authentication check properly when the default security provider is changed to BouncyCastle (BC), leading to Missing Authentication Check | MEDIUM | Oct 15, 2019 |
| CVE-2019-0378 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the file name of the background image resulting in Stored Cross-Site Scripting. | LOW | Oct 10, 2019 |
| CVE-2019-0377 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the input controls, resulting in Stored Cross-Site Scripting. | LOW | Oct 10, 2019 |
| CVE-2019-0376 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting. | LOW | Oct 10, 2019 |
| CVE-2019-0375 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site Scripting. | LOW | Oct 10, 2019 |
| CVE-2019-0374 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting | LOW | Oct 10, 2019 |
| CVE-2019-0370 | Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection. | MEDIUM | Oct 11, 2019 |
| CVE-2019-0369 | SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability. | LOW | Oct 10, 2019 |
| CVE-2019-0368 | SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability. | LOW | Oct 17, 2019 |
| CVE-2019-0367 | SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check. | MEDIUM | Oct 10, 2019 |
| CVE-2019-0365 | SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC, before versions 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL before versions 7.21, 7.49, 7.53, 7.73, 7.76 SAP GUI for Windows (BC-FES-GUI) before versions 7.5, 7.6, and SAP GUI for Java (BC-FES-JAV) before version 7.5, allow an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | HIGH | Sep 11, 2019 |
| CVE-2019-0364 | Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open ports. | MEDIUM | Sep 11, 2019 |
| CVE-2019-0363 | Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network ports. | MEDIUM | Sep 11, 2019 |
| CVE-2019-0361 | SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | MEDIUM | Sep 11, 2019 |
| CVE-2019-0357 | The administrator of SAP HANA database, before versions 1.0 and 2.0, can misuse HANA to execute commands with operating system \"root\" privileges. | HIGH | Sep 11, 2019 |
| CVE-2019-0356 | Under certain conditions SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIAF (before versions 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | Medium | Sep 11, 2019 |
| CVE-2019-0355 | SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. | MEDIUM | Sep 11, 2019 |
| CVE-2019-0353 | Under certain conditions SAP Business One client (B1_ON_HANA, SAP-M-BO), before versions 9.2 and 9.3, allows an attacker to access information which would otherwise be restricted. | LOW | Sep 10, 2019 |
| CVE-2019-0352 | In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout. | MEDIUM | Sep 11, 2019 |
| CVE-2019-0351 | A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the product to terminate. | MEDIUM | Aug 23, 2019 |
| CVE-2019-0350 | SAP HANA Database, versions 1.0, 2.0, allows an unauthorized attacker to send a malformed connection request, which crashes the indexserver of an SAP HANA instance, leading to Denial of Service | MEDIUM | Nov 5, 2019 |
| CVE-2019-0349 | SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check | Medium | Aug 23, 2019 |
