Command injection

SAP TREX 7.10 allows remote attackers to 1 read arbitrary files via an fget command or 2 write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592...

Cross site scripting

Cross-site scripting XSS vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shpresult.jsp, aka SAP Security Note 2308535...

CVE-2017-11458

Cross-site scripting XSS vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783...

CVE-2017-11457

CVE-2017-11457 is an XXE vulnerability in SAP NetWeaver AS JAVA 7.5, affecting the component com.sap.km.cm.ice . A remote authenticated attacker can abuse a crafted XML DTD to read arbitrary files or perform SSRF. The issue is documented against SAP NetWeaver AS JAVA 7.5 via SAP Security Note 238...

CVE-2017-11458

SAP NetWeaver AS JAVA 7.3 is affected by a Cross-Site Scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet. An attacker can inject arbitrary script via the sessionID parameter, enabling remote script execution in affected sessions. Root cause is exposure of unsanitized sessionID inpu...

CVE-2017-11460

CVE-2017-11460 is a cross-site scripting (XSS) vulnerability in the DataArchivingService servlet of SAP NetWeaver Portal 7.4. The issue allows remote attackers to inject arbitrary web script or HTML by manipulating the responsecode parameter in shp/shp_result.jsp. Public sources consistently desc...

CVE-2017-11459

SAP TREX 7.10 allows remote attackers to 1 read arbitrary files via an fget command or 2 write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592...

CVE-2017-11460

Cross-site scripting XSS vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shpresult.jsp, aka SAP Security Note 2308535...

CVE-2017-11457

XML external entity XXE vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery SSRF attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249...

NemucodAES Ransomware, Kovter Click-Fraud Malware Spreading in Same Campaigns

Two malware families, NemucodAES and Kovter, are being packaged together in .zip attachments and delivered via active spam campaigns. Researcher Brad Duncan said, “together these two pieces of malware could deliver a nasty punch.” Duncan, a handler at the SANS Institute Internet Storm Center, sai...

Design/Logic Flaw

SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service process crash via vectors involving disp+work.exe, aka SAP Security Note 2406841...

CVE-2017-9843

SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service process crash via vectors involving disp+work.exe, aka SAP Security Note 2406841...

CVE-2017-9845

disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service resource consumption via a crafted DIAG request, aka SAP Security Note 2405918...

Design/Logic Flaw

SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804...

CVE-2017-9844

SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer...

CVE-2017-9845

disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service resource consumption via a crafted DIAG request, aka SAP Security Note 2405918...

Design/Logic Flaw

disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service resource consumption via a crafted DIAG request, aka SAP Security Note 2405918...

CVE-2017-9844

SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer...

CVE-2017-9845

CVE-2017-9845 affects SAP NetWeaver 7.40 with the vulnerable disp+work 7400.12.21.30308. The issue resides in the disp+work.exe process (dynpen00) and can be triggered by sending a crafted DIAG request, leading to denial of service via resource consumption. CVSSv3.0 base score is 7.5 (Network, Lo...

CVE-2017-9843

CVE-2017-9843 affects SAP NetWeaver AS ABAP 7.40. The issue is a denial-of-service via disp+work.exe triggered by remote authenticated users with certain privileges; the vulnerability is tied to SAP Security Note 2406841. Affected components include SAP Kernel 7.40 64-bit and disp+work.exe. Impac...