Netweaver Application Server Java@* Security Vulnerabilities and Issues — Netweaver Application Server Java@* CVE List

Lucene search

SapNetweaver Application Server Java*

8 matches found

CVE•added 2016/05/13 10:59 a.m.•1048 views

CVE-2010-5326

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

10CVSS9.8AI score0.26416EPSS

CVE•added 2016/04/07 11:59 p.m.•973 views

CVE-2016-3976

Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.

7.5CVSS7.4AI score0.77789EPSS

CVE•added 2016/02/16 3:59 p.m.•959 views

CVE-2016-2388

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.

5.3CVSS5AI score0.58733EPSS

CVE•added 2016/04/07 7:59 p.m.•48 views

CVE-2016-3974

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, ak...

9.1CVSS9AI score0.35165EPSS

CVE•added 2016/04/07 7:59 p.m.•47 views

CVE-2016-3975

Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP...

6.1CVSS6.2AI score0.00657EPSS

CVE•added 2017/09/19 4:29 p.m.•45 views

CVE-2017-14581

The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181.

7.5CVSS7.3AI score0.00796EPSS

CVE•added 2019/03/12 10:29 p.m.•44 views

CVE-2019-0275

SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.

5.4CVSS5.2AI score0.00252EPSS

CVE•added 2016/04/07 7:59 p.m.•38 views

CVE-2016-3973

The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka ...

5.3CVSS5.1AI score0.00503EPSS