Security feature bypass

The chat feature in the Real-Time Collaboration RTC services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tcrtccoll.appl.rtcwdchat/Chat, pressing "Add users", and doing a search, aka SAP...

Cross site scripting

Cross-site scripting XSS vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP...

Xxe

XML external entity XXE vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to tcmonitoringwebserviceweb/ServerNodesWSService, aka SA...

CVE-2016-3974

XML external entity XXE vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to tcmonitoringwebserviceweb/ServerNodesWSService, aka SA...

CVE-2016-3975

Cross-site scripting XSS vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP...

CVE-2016-3974

CVE-2016-3974 affects SAP NetWeaver AS JAVA 7.1–7.5. An XML External Entity (XXE) vulnerability in the Configuration Wizard/ctcprotocol servlet allows remote attackers to cause a denial of service, perform SMB relay actions, or read arbitrary files via a crafted XML to the ServerNodesWSService en...

Possible Information Leak Vulnerability

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: def index; render params:id; end Carefully crafted requests can cause the above code to render files from unexpect...

CVE-2016-3976

Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ dot dot backslash in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. Recent assessments: Assessed Attacker Value: 0 Assessed...

Sticky Note + - Customized SSL, Dangerous filesystem permissions, WebView SSL handling enabled vulnerabilities

HackApp vulnerability scanner discovered that application Sticky Note + published at the 'play' market has multiple vulnerabilities...

Death Note - Customized SSL, Redefined SSL Common Names verifier vulnerabilities

HackApp vulnerability scanner discovered that application Death Note published at the 'play' market has multiple vulnerabilities...

Note Everything - Exported components, External URLs, Runtime command execution vulnerabilities

HackApp vulnerability scanner discovered that application Note Everything published at the 'play' market has multiple vulnerabilities...

Simple Sticky Note Widget - Exported components vulnerabilities

HackApp vulnerability scanner discovered that application Simple Sticky Note Widget published at the 'play' market has multiple vulnerabilities...

Simplest Note Ever - Dangerous filesystem permissions, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Simplest Note Ever published at the 'play' market has multiple vulnerabilities...

Two kind of vulnerabilities, you can make a billion Android phone is to obtain Root permissions-bug warning-the black bar safety net

Trend Micro reported that billions of Android device on the discovered vulnerabilities, an attacker by a simple operation to obtain root access. Currently on the market most of the smart devices are using the Qualcomm Snapdragon SoCs system chip, according to the company's official website...

SAP Download Manager 2.1.142 Weak Encryption

Advisory Information Title: SAP Download Manager Password Weak Encryption Advisory ID: CORE-2016-0004 Advisory URL: http://www.coresecurity.com/advisories/sap-download-manager-password-weak-encryption Date published: 2016-03-08 Date of last update: 2016-03-07 Vendors contacted: SAP Release mode:...

CVE-2016-2859

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-0834. Reason: This candidate is a reservation duplicate of CVE-2016-0834. Notes: All CVE users should reference CVE-2016-0834 instead of this candidate. All references and descriptions in this candidate have been removed to...

Xero: Additonal stored XSS in Add note/Expected payment Date

When you make an invoice, the person you make the invoice out to can be an xss vector like " then fill out the rest of the invoice and create it. Go to the invoice then when you go the invoice and click add note/expected date it'll trigger...

SAP Download Manager Password Weak Encryption

1. Advisory Information Title: SAP Download Manager Password Weak Encryption Advisory ID: CORE-2016-0004 Advisory URL: Date published: 2016-03-09 Date of last update: 2016-03-07 Vendors contacted: SAP Release mode: Coordinated release 2. Vulnerability Information Class: Storing Passwords in a...

PT-2016-3362 · Sap · Sap Netweaver As Java

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS JAVA version 7.5 Description: The issue is related to an XML External Entity XXE vulnerability in the BC-BMT-BPM-DSK component of SAP NetWeaver AS JAVA. This vulnerability allows remote authenticated users to conduct XXE...

CVE-2016-2388

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846...