102 matches found
CVE-2021-38163
CVE-2021-38163 affects SAP NetWeaver (Visual Composer 7.0 RT) versions 7.30/7.31/7.40/7.50 with an unrestricted file upload path traversal that, when exploited by an authenticated non-administrative user, can trigger processing of a malicious file and execute OS commands under the Java Server pro...
CVE-2025-31324
CVE-2025-31324 affects SAP NetWeaver Visual Composer Metadata Uploader (VCFRAMEWORK). Unauthenticated uploads to /developmentserver/metadatauploader allow remote code execution with SAP service user privileges (RCE in VCFRAMEWORK) and can compromise confidentiality, integrity, and availability. C...
CVE-2025-42999
CVE-2025-42999 affects SAP NetWeaver Visual Composer Metadata Uploader. It is a deserialization vulnerability that can allow a privileged attacker to compromise confidentiality, integrity, and availability of the host system. Connected documents corroborate a broader context: CVE-2025-31324 (unre...
CVE-2017-9844
SAP NetWeaver with version 7400.12.21.30308 is affected by CVE-2017-9844 due to insecure Java deserialization in the metadatauploader endpoint. A crafted serialized Java object sent to /developmentserver/metadatauploader can cause denial of service and potentially allow arbitrary code execution, ...
CVE-2023-36922
The CVE-2023-36922 entry concerns SAP ECC/SAP S/4HANA IS-OIL with a programming error in the function module and report that permits an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter of a common extension. Exploitation can allow reading/modify...
CVE-2013-1592
SAP NetWeaver Message Server contains CVE-2013-1592 (and related CVE-2013-1593) buffer-overflow vulnerabilities in the Message Server module. The flaw resides in _MsJ2EE_AddStatistics(), where the attacker-controlled MSJ2EE_HEADER.serviceid is used to index the global j2ee_stat_services array wit...
CVE-2012-2612
CVE-2012-2612 refers to a Denial of Service in SAP NetWeaver Dispatcher (disp+work.exe) 7.0 EHP1/EHP2 where the DiagTraceHex function can be triggered by crafted SAP Diag packets to cause a daemon crash. Affected component: Dispatcher service within SAP NetWeaver 7.0 EHP1/EHP2 (disp+work.exe v701...
CVE-2012-2514
CVE-2012-2514 affects SAP NetWeaver Dispatcher in SAP NetWeaver 7.0 EHP1 (disp+work.exe v7010.29.15.58313) and EHP2 (v7200.70.18.23869). The vulnerability is in the DiagiEventSource function of the Dispatcher, exploitable by remotely crafted SAP Diag packets to cause a denial of service (daemon c...
CVE-2024-22124
CVE-2024-22124 affects SAP NetWeaver Internet Communication Manager and SAP Web Dispatcher—specifically listed kernel and related components (KERNEL 7.22/7.53/7.54; KRNL64UC 7.22/7.53; KRNL64NUC 7.22/7.22_EXT; WEBDISP 7.22_EXT/7.53/7.54). The vulnerability enables an attacker to access informatio...
CVE-2022-22534
CVE-2022-22534 affects SAP NetWeaver Application Server (NetWeaver ABAP/AS) through insufficient input encoding , enabling an unauthenticated attacker to inject code and potentially expose sensitive data such as user IDs and passwords . The endpoints are normally network-exposed, with a partial c...
CVE-2015-5067
The CVE-2015-5067 entry affects SAP NetWeaver, specifically the Cross-System Tools and Data Transfer Workbench components. The root cause is hardcoded credentials within these tools, enabling remote access via unspecified vectors. This is supported by multiple sources (NVD/CNVD/PRION/CVE lists) r...
CVE-2013-6815
CVE-2013-6815 affects SAP NetWeaver Application Server for ABAP (AS ABAP) versions 7.31 and earlier. The SHSTI_UPLOAD_XML function is vulnerable to a XML External Entity (XXE) issue that can allow remote attackers to cause a denial of service. Affected component: SHSTI_UPLOAD_XML in AS ABAP; root...
CVE-2016-2389
SAP xMII 15.0 for SAP NetWeaver 7.4 is affected by CVE-2016-2389 due to a directory traversal in the GetFileList function (Path parameter to /Catalog), enabling read of arbitrary server files (e.g., ../../../../etc/passwd). Affected component is SAP MII 15.0; CVSS v3 base score 7.5 (Network, Low ...
CVE-2020-6203
CVE-2020-6203 concerns SAP NetWeaver UDDI Server (Services Registry) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. The vulnerability arises from insufficient validation of path information provided by users, allowing path traversal characters to reach file APIs and potentially access restric...
CVE-2022-28772
The CVE-2022-28772 entry concerns a buffer overflow in SAP Web Dispatcher and SAP Internet Communication Manager caused by overlong input values that can overwrite the internal program stack, leading to a denial of service. Affected products include SAP Web Dispatcher versions 7.53, 7.77, 7.81, 7...
CVE-2022-28217
CVE-2022-28217 affects SAP NetWeaver (EP Web Page Composer). Multiple connected documents describe a vulnerability where an XML document from an untrusted source is not sufficiently validated, enabling unprotected XML parking at endpoints and a potential SSRF attack that could impact availability...
CVE-2022-28773
CVE-2022-28773 affects SAP Web Dispatcher and SAP Internet Communication Manager. The issue is caused by uncontrolled recursion, leading to denial of service with a crash that is restartable. Public details across connected documents confirm the component/file-level root cause and DoS impact; som...
CVE-2013-6244
The CVE-2013-6244 issue affects SAP NetWeaver 7.31 and earlier, in the Live Update webdynpro application (webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP). The root cause is an XML External Entity (XXE) vulnerability where an XML document containing an external entity declaration and an entity ref...
CVE-2016-1910
CVE-2016-1910 affects SAP NetWeaver 7.4 UME (User Management Engine) and is described as a cryptographic issue enabling attackers to decrypt data via unspecified vectors (SAP Security Note 2191290). The connected materials indicate this is a crypto-issue vulnerability with publicly available PoCs...
CVE-2023-29186
SAP NetWeaver BI CONT ADDON vulnerability CVE-2023-29186 affects versions 707, 737, 747, and 757. A directory traversal flaw in a report allows uploading and overwriting files on the SAP server; data cannot be read, but a remote attacker with administrative privileges could overwrite critical OS ...
CVE-2011-1517
CVE-2011-1517 affects SAP NetWeaver Dispatcher (disp+work.exe) on SAP NetWeaver 7.0. The issue arises from the DiagTraceHex() function; a remote attacker can send a specially crafted network packet to trigger a denial of service (and in the broader advisory context, related vulnerabilities enable...
CVE-2011-5263
CVE-2011-5263 concerns an XSS vulnerability in SAP NetWeaver 7.30 and earlier, in the RetrieveMailExamples component. The server parameter can be exploited to inject arbitrary web script or HTML. The connected sources confirm the affected platform and vulnerability class but do not provide specif...
CVE-2017-5372
SAP NetWeaver AS JAVA P4 MSPRuntimeInterface (MSPRuntimeInterface) in SERVERCORE is vulnerable to information disclosure due to missing authorization when calling getInformation, getParameters, getServiceInfo, getStatistic, or getClientStatistic. Public advisories (ErpScan ERPSCAN-16-037 and SAP ...
CVE-2023-32114
CVE-2023-32114 affects SAP NetWeaver Change and Transport System (CTS) for versions 702–757. An authenticated user with admin privileges can repeatedly run a benchmark program, causing resource exhaustion and a denial of service with limited impact on availability; confidentiality and integrity a...
CVE-2020-6184
The CVE-2020-6184 issue affects SAP NetWeaver ABAP Online Community in SAP_BASIS 7.40 and SAP_BASIS 7.50–7.54 (S/4HANA). The vulnerability arises from insufficient encoding of user-controlled inputs in the ABAP Online Community, leading to Reflected Cross-Site Scripting (XSS). The connected sourc...
CVE-2015-7241
CVE-2015-7241 describes an XML External Entity (XXE) vulnerability in SAP NetWeaver before 7.01 due to the XML parser. The vulnerability allows potential unauthorized access and data exposure via XXE, as documented in multiple sources (NVD, CNVD, CVE lists) and corroborated by exploitation refere...
CVE-2020-6181
CVE-2020-6181 affects SAP NetWeaver SAP_BASIS (702, 730, 731, 740) and SAP ABAP Platform SAP_BASIS (750–754). The SAML SSO implementation may include invalidated data in HTTP response headers, enabling HTTP Response Splitting. Impact is a header-level manipulation in Web users; exact exploit deta...
CVE-2013-3319
CVE-2013-3319 affects SAP NetWeaver 7.03 via the HostControl service GetComputerSystem method, enabling remote disclosure of sensitive information through a crafted SOAP request to port 1128. Public references in Nessus note and vendor advisories (SAP Note 1816536) detail sensitive data exposure ...
CVE-2023-33985
CVE-2023-33985 affects SAP NetWeaver Enterprise Portal 7.50. The vulnerability is a reflected XSS caused by insufficient encoding of user-controlled inputs over the network, leading to a limited impact on confidentiality and integrity. Connected sources corroborate the affected product/version an...
CVE-2014-3787
CVE-2014-3787 affects SAP NetWeaver 7.20 and earlier. Multiple connected sources confirm that remote attackers can read arbitrary SAP Central User Administration (SAP CUA) tables via unspecified vectors. The CVSS estimate in NVD indicates a network-accessible, low-complexity漏洞 with partial confid...
CVE-2013-1593
CVE-2013-1593 is a Denial of Service vulnerability in SAP NetWeaver Message Server (msg_server.exe) affecting SAP NetWeaver 2004s and 7.01 SR1, 7.02 SP06, 7.30 SP04. The issue arises in the WRITE_C function when processing specially crafted SAP Message Server packets directed at TCP ports 36NN/39...
CVE-2020-6185
SAP NetWeaver ABAP Online Community and SAP S/4HANA (SAP_BASIS 7.40 and 7.50–7.54) are affected by CVE-2020-6185. An authenticated attacker can store a payload that yields Stored Cross-Site Scripting via the described conditions. Exploitation details are not provided beyond the stored-XSS descrip...
CVE-2012-2512
CVE-2012-2512 affects SAP NetWeaver Dispatcher (7.0 EHP1/EHP2) via disp+work.exe: DiagTraceStreamI vulnerability triggered by crafted SAP Diag packets over remote TCP causes a denial of service (daemon crash). Vulnerable versions include disp+work.exe v7010.29.15.58313 and v7200.70.18.23869. Impa...
CVE-2012-2611
CVE-2012-2611 affects SAP NetWeaver Dispatcher where the DiagTraceR3Info function in disp+work.exe can overflow a stack buffer when Developer Traces are enabled at level 2 or higher, enabling remote code execution via crafted SAP Diag packets. Affected: SAP NetWeaver Dispatcher (7.0 EHP1/EHP2) wi...
CVE-2021-21481
CVE-2021-21481 affects SAP NetWeaver AS JAVA MigrationService (versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50). The vulnerability arises from a missing authorization check, which could let an unauthorized attacker access configuration objects and potentially grant administrative privileges, en...
CVE-2013-6822
CVE-2013-6822 affects the SAP NetWeaver component GRMGApp and is tied to an XML External Entity (XXE) issue. The available description states a remote impact but does not specify exact vulnerable versions, attack vectors, or concrete remediation. Several connected records reference SAP advisories...
CVE-2014-0995
SAP NetWeaver Enqueue Server (Standalone Enqueue Server) is affected. Specifically, SAP NetWeaver 7.01 and 7.20 (and earlier) expose a denial-of-service vulnerability triggered by a crafted Trace Pattern with wildcards, causing uncontrolled recursion and a crash. The vulnerability affects the Sta...
CVE-2015-2815
CVE-2015-2815 affects the SAP NetWeaver Dispatcher in SAP Kernel. Vulnerable are SAP KERNEL 7.00 (32-bit, disp+work.exe 7000.52.12.34966) and 7.40 (64-bit, disp+work.exe 7400.12.21.30308). The issue is a buffer overflow in C_SAPGPARAM that can be exploited by an authenticated remote attacker to e...
CVE-2019-0248
Summary: CVE-2019-0248 affects the SAP Gateway of the ABAP Application Server, causing information disclosure under certain conditions. The issue is addressed in SAP_GWFND versions 7.5, 7.51, 7.52, 7.53 and SAP_BASIS 7.5. Affected component: SAP Gateway in the ABAP Application Server. Root cause/...
CVE-2023-0021
CVE-2023-0021 affects SAP NetWeaver versions 700–750. It stems from insufficient encoding of user input, allowing an unauthenticated attacker to inject code that can expose sensitive data (e.g., user IDs and passwords) and may lead to reflected Cross-Site Scripting. Endpoints are network-exposed,...
CVE-2023-41367
CVE-2023-41367 affects SAP NetWeaver (Guided Procedures), specifically the webdynpro component in version 7.50. The root cause is a missing authentication check, allowing an unauthorized user to anonymously access the administrator view of a function and potentially view the user’s email address....
CVE-2015-2817
CVE-2015-2817 affects the SAP NetWeaver 7.40 SAP Management Console (CCMS) where an anonymous attacker can send a POST request to obtain information about SAP profile parameters via the ReadProfile interface. Root cause is information disclosure due to insufficient access control on the Managemen...
CVE-2016-4014
The CVE-2016-4014 entry concerns an XXE/XEE vulnerability in the SAP NetWeaver AS JAVA UDDI component (SAP NetWeaver JAVA AS 7.4). The root cause is XML External Entity processing allowing a crafted DTD to cause denial of service by making the server hang when processing requests to uddi/api/repl...
CVE-2016-2387
CVE-2016-2387 pertains to SAP NetWeaver 7.4, affecting the Java Proxy Runtime ProxyServer servlet. The vulnerability enables cross-site scripting (XSS) via the ProxyServer/register endpoint, by manipulating the ns or interface parameters, as noted in SAP Security Note 2220571. Public advisories (...
CVE-2012-2511
CVE-2012-2511 affects SAP NetWeaver Dispatcher 7.0 EHP1/EHP2, specifically the disp+work.exe components (versions v7010.29.15.58313 and v7200.70.18.23869). The DiagTraceAtoms function is the root cause: processing crafted SAP Diag packets in the Dispatcher can trigger a remote, unauthenticated de...
CVE-2015-6662
CVE-2015-6662 describes an XML External Entity (XXE) vulnerability in SAP NetWeaver Portal 7.4. The exposed component is the SAP NetWeaver Portal XML parser handling admin-import functionality (prtroot/com.sap.portal.landscape.access.LSXMLParse). A crafted XML payload can trigger XXE to read arbi...
CVE-2014-1964
CVE-2014-1964 is an XSS vulnerability in the SAP NetWeaver Integration Repository (BC-XI) component of SAP Exchange Infrastructure. The issue affects the Integration Repository via the ESR application and a DIR error, enabling remote attackers to inject arbitrary web script or HTML. The NVD notes...
CVE-2014-4003
CVE-2014-4003 refers to the SAP NetWeaver System Landscape Directory (SLD) vulnerability where remote attackers can modify information through vectors related to adding a system. The core impact is information tampering with SLD data, as described in multiple sources (NVD entry and SAP-related ad...
CVE-2021-38183
CVE-2021-38183 affects SAP NetWeaver versions 700, 701, 702, 730 due to insufficient encoding of user-controlled inputs, causing a reflected Cross-Site Scripting (XSS) vulnerability. The root cause is under-encoded input in a vulnerable web component, allowing a malicious payload to be provided b...
CVE-2023-33984
SAP NetWeaver (Design Time Repository) v7.50 is affected. The issue arises from returning an unfavorable content type for certain versioned files, enabling an authorized attacker to create a file containing malicious content and share a link resulting in cross-site scripting (XSS). Public referen...