[ERPSCAN-15-011] SAP Mobile Platform 3.0 - XXE

ERPSCAN Research Advisory ERPSCAN-15-011 SAP Mobile Platform 3.0 - XXE Application: SAP Mobile Platform 3.0 Versions Affected: SAP Mobile Platform 3.0, probably others Vendor URL: http://SAP.com Bugs: XML eXternal Entity Sent: 29.12.2014 Reported: 29.12.2014 Vendor response: 30.12.2014 Date of...

[ERPSCAN-15-005] SAP Mobile Platform - XXE

ERPSCAN Research Advisory ERPSCAN-15-005 SAP Mobile Platform - XXE Application: SAP Mobile Platform 2.3 Versions Affected: SAP Mobile Platform 2.3, probably others Vendor URL: http://SAP.com Bugs: XML eXternal Entity Sent: 06.11.14 Reported: 06.11.14 Vendor response: 07.11.14 Date of Public...

[ERPSCAN-15-003] SAP NetWeaver Dispatcher Buffer Overflow - RCE, DoS

ERPSCAN Research Advisory ERPSCAN-15-003 SAP NetWeaver Dispatcher Buffer Overflow - RCE, DoS Application: SAP NetWeaver Dispatcher Versions Affected: SAP NetWeaver Dispatcher, probably others Vendor URL: http://SAP.com Bugs: RCE Sent: 25.08.14 Reported: 25.08.14 Vendor response: 25.08.14 Date of...

CVE-2015-5068

XML external entity XXE vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security Note 2159601...

CVE-2015-5068

XML external entity XXE vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security Note 2159601...

CVE-2015-5068

XML external entity XXE vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security Note 2159601...

CVE-2015-5068

CVE-2015-5068 is an XXE vulnerability affecting SAP Mobile Platform 3 (and SAP NetWeaver AS Java 7.4 per ERPScan notes) where the XML parser validates incoming requests with a user-specified DTD. A crafted XML request (via Add Repository) can cause the server to read arbitrary files, enable DoS (...

Design/Logic Flaw

SAP Adaptive Server Enterprise ASE before 15.7 SP132 and 16.0 before 16.0 SP01 allows remote attackers to bypass the challenge and response mechanism and obtain access to the probe account via a crafted response, aka SAP Security Note 2113995...

CVE-2015-4161

SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690...

CVE-2015-4158

SAP ABAP & Java Server allows remote attackers to cause a denial of service service termination via unspecified vectors, aka SAP Security Note 2121661...

CVE-2015-4157

SAP Content Server allows remote attackers to cause a denial of service service termination via unspecified vectors, aka SAP Security Note 2127995...

CVE-2015-2278

The LZH decompression implementation CsObjectInt::BuildHufTree function in vpa108csulzh.cpp in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers t...

Out-of-bounds

The LZH decompression implementation CsObjectInt::BuildHufTree function in vpa108csulzh.cpp in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers t...

Stack overflow

Stack-based buffer overflow in the LZC decompression implementation CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows...

Code injection

SAP Content Server allows remote attackers to cause a denial of service service termination via unspecified vectors, aka SAP Security Note 2127995...

Information disclosure

SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690...

CVE-2015-4158

SAP ABAP & Java Server allows remote attackers to cause a denial of service service termination via unspecified vectors, aka SAP Security Note 2121661...

CVE-2015-4161

SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690...

CVE-2015-2282

Stack-based buffer overflow in the LZC decompression implementation CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows...

CVE-2015-4161

SAP Afaria is affected by an information-disclosure vulnerability where access to unspecified functionality is not properly restricted (via the Services feature). A remote attacker could obtain sensitive information, and potentially gain privileges, with other unspecified impacts noted in SAP Sec...