Design/Logic Flaw

SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will...

CVE-2023-24527

CVE-2023-24527 affects SAP NetWeaver AS Java for Deploy Service (v7.5). The issue is improper access control: an unauthenticated remote attacker can attach to an open interface and use an open naming/directory API to access a service. This access disclosure does not modify server settings or data...

CVE-2023-27268

SAP NetWeaver AS Java Object Analyzing Service - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify...

Authorization

SAP NetWeaver AS Java Object Analyzing Service - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify...

CVE-2023-27268

CVE-2023-27268 relates to SAP NetWeaver AS Java (Object Analyzing Service) v7.50, where missing authorization checks allow an unauthenticated attacker to attach to an open interface and use the Open Naming and Directory API to access server data, enabling privilege escalation without modifying da...

CVE-2023-27268 Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)

SAP NetWeaver AS Java Object Analyzing Service - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify...

CVE-2022-41262

Due to insufficient input validation, SAP NetWeaver AS Java HTTP Provider Service - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality...

CVE-2022-41262

CVE-2022-41262 affects SAP NetWeaver AS Java (HTTP Provider Service), version 7.50. The issue is due to insufficient input validation that allows an unauthenticated attacker to inject a script into a web request header. The resulting impact is described as limited in confidentiality and integrity...

PT-2022-25774 · Sap · Sap Netweaver As Java

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS Java HTTP Provider Service version 7.50 Description: The issue is caused by insufficient input validation, allowing an unauthenticated attacker to inject a script into a web request header. Successful exploitation enables an...

SAP NetWeaver Information Disclosure Vulnerability

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request...

SAP NetWeaver AS ABAP and AS Java Memory Corruption (3145702)

A memory corruption vulnerability exists in SAP NetWeaver AS ABAP and AS Java kernel versions 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, and 8.04 which may allow an unauthenticated attacker to steal authentication information of the user. Note that Nessus has not tested for this issue...

CVE-2021-37535

CVE-2021-37535 affects SAP NetWeaver Application Server Java, specifically the JMS Connector Service . Affected versions: 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 . Root cause described in sources as missing/incorrect authorization checks for user privileges, enabling a remote attacker to bypass author...

CVE-2021-33687

SAP NetWeaver AS JAVA (Enterprise Portal) information disclosure vulnerability (CVE-2021-33687) affects versions 7.10, 7.20, 7.30, 7.31, 7.40, and 7.50. The issue involves sensitive information being revealed in one HTTP request, which an attacker could leverage in combination with other attacks ...

CVE-2021-27601

CVE-2021-27601 affects SAP NetWeaver AS Java (Applications based on HTMLB for Java). An authorized, basic-level attacker can store a malicious file on the server; when a victim opens that file, a Cross-Site Scripting (XSS) vulnerability can allow reading and modification of data. The root cause i...

CVE-2021-27598

SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet) vulnerability CVE-2021-27598 affects SAP NetWeaver AS JAVA versions 7.31, 7.40, and 7.50. The root cause is a missing authorization check in the Customer Usage Provisioning Servlet, allowing an attacker to read statistical data such as p...

SAP Stomps Out Critical RCE Flaw in Manufacturing Software

Enterprise software giant SAP pushed out fixes for a critical-severity vulnerability in its real-time data monitoring software for manufacturing operations. If exploited, the flaw could allow an attacker to access SAP databases, infect end users with malware and modify network configurations. The...

SAP NetWeaver AS Java and AS ABAP Multiple Vulnerabilities (Jan 2021)

The version of SAP NetWeaver AS Java or ABAP detected on the remote host is affected by multiple vulnerabilities, as follows: - SAP NetWeaver AS Java HTTP Service, versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data suc...

CVE-2020-26826

Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file including script files without proper file format validation, leading to Unrestricted File Upload...

CVE-2020-26826

CVE-2020-26826 affects SAP NetWeaver AS JAVA (Process Integration Monitoring) and is described across multiple sources as a vulnerability where an attacker can upload any file (including scripts) due to insufficient file format validation. Affected versions include SAP NetWeaver AS JAVA 7.31, 7.4...

CVE-2020-26829

SAP NetWeaver AS JAVA P2P Cluster Communication (versions 7.11–7.50) is affected by CVE-2020-26829 due to a missing authentication check, enabling an unauthenticated attacker to initiate privileged actions that are normally restricted to administrators, including access to system administration f...