Netweaver Application Server Java Security Vulnerabilities and Issues — Netweaver Application Server Java CVE List

Lucene search

SapNetweaver Application Server Java

16 matches found

CVE•added 2016/11/23 2:59 a.m.•990 views

CVE-2016-9563

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

6.5CVSS6.4AI score0.41099EPSS

CVE•added 2020/10/15 3:15 a.m.•67 views

CVE-2020-6365

SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victi...

6.1CVSS6.4AI score0.00212EPSS

CVE•added 2022/12/12 10:15 p.m.•67 views

CVE-2022-41262

Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality...

6.1CVSS6.2AI score0.00563EPSS

CVE•added 2020/04/14 7:15 p.m.•53 views

CVE-2020-6224

SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure...

6.2CVSS6.4AI score0.00285EPSS

CVE•added 2020/10/15 2:15 a.m.•53 views

CVE-2020-6319

SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authenticati...

6.1CVSS6.3AI score0.00322EPSS

CVE•added 2021/04/13 7:15 p.m.•50 views

CVE-2021-27598

SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.

6.5CVSS5.3AI score0.00183EPSS

CVE•added 2017/07/25 6:29 p.m.•49 views

CVE-2017-11457

XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.

6.5CVSS6.2AI score0.00587EPSS

CVE•added 2016/04/07 7:59 p.m.•47 views

CVE-2016-3975

Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP...

6.1CVSS6.2AI score0.00657EPSS

CVE•added 2020/12/09 5:15 p.m.•46 views

CVE-2020-26826

Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.

6.5CVSS6.5AI score0.00448EPSS

CVE•added 2023/10/10 2:15 a.m.•44 views

CVE-2023-42477

SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.

6.5CVSS6.4AI score0.00092EPSS

CVE•added 2018/09/11 3:29 p.m.•43 views

CVE-2018-2452

The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.

6.1CVSS5.9AI score0.0059EPSS

CVE•added 2021/03/10 3:15 p.m.•43 views

CVE-2021-21491

SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

6.1CVSS6.2AI score0.00133EPSS

CVE•added 2018/12/11 11:0 p.m.•42 views

CVE-2018-2504

SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

6.1CVSS5.9AI score0.00391EPSS

CVE•added 2017/07/25 6:29 p.m.•38 views

CVE-2017-11458

Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.

6.1CVSS6AI score0.00297EPSS

CVE•added 2020/09/09 1:15 p.m.•38 views

CVE-2020-6313

SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScri...

6.5CVSS6.1AI score0.00296EPSS

CVE•added 2017/04/10 2:59 p.m.•33 views

CVE-2016-10304

The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.

6.5CVSS6.1AI score0.00893EPSS