Netweaver Security Vulnerabilities and Issues — Netweaver CVE List

Lucene search

SapNetweaver

17 matches found

CVE•added 2022/02/09 11:15 p.m.•92 views

CVE-2022-22534

Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the applica...

6.1CVSS6.3AI score0.0172EPSS

CVE•added 2022/06/13 5:15 p.m.•73 views

CVE-2022-28217

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by cau...

6.5CVSS6.5AI score0.00257EPSS

CVE•added 2020/02/12 8:15 p.m.•58 views

CVE-2020-6184

Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.

6.1CVSS6AI score0.00409EPSS

CVE•added 2023/06/13 3:15 a.m.•51 views

CVE-2023-33985

SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information c...

6.1CVSS6AI score0.00399EPSS

CVE•added 2015/04/01 2:59 p.m.•50 views

CVE-2015-2815

Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatcher in SAP KERNEL 7.00 (7000.52.12.34966) and 7.40 (7400.12.21.30308) allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2063369.

6.5CVSS8.1AI score0.03458EPSS

CVE•added 2016/02/16 3:59 p.m.•46 views

CVE-2016-2387

Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571.

6.1CVSS6AI score0.00226EPSS

CVE•added 2023/03/14 5:15 a.m.•46 views

CVE-2023-0021

Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed ove...

6.1CVSS6.2AI score0.00829EPSS

CVE•added 2015/08/24 2:59 p.m.•42 views

CVE-2015-6662

XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2168485.

6.8CVSS7.1AI score0.00639EPSS

CVE•added 2021/10/12 3:15 p.m.•41 views

CVE-2021-38183

SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web browser, resulting in Cross...

6.1CVSS6AI score0.00596EPSS

CVE•added 2014/09/05 2:55 p.m.•40 views

CVE-2014-6252

Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors.

6.5CVSS7.9AI score0.02237EPSS

CVE•added 2023/04/11 3:15 a.m.•38 views

CVE-2023-27499

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure...

6.1CVSS6AI score0.00416EPSS

CVE•added 2018/09/11 3:29 p.m.•37 views

CVE-2018-2464

SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.

6.1CVSS5.9AI score0.00434EPSS

CVE•added 2016/01/15 8:59 p.m.•36 views

CVE-2016-1911

Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Notes 2206793 and 223...

6.1CVSS5.9AI score0.00329EPSS

CVE•added 2018/11/13 8:29 p.m.•36 views

CVE-2018-2476

Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.

6.1CVSS6.1AI score0.00217EPSS

CVE•added 2023/06/13 3:15 a.m.•35 views

CVE-2023-33984

SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could...

6.4CVSS5.5AI score0.00433EPSS

CVE•added 2018/10/09 1:29 p.m.•34 views

CVE-2018-2470

In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

6.1CVSS6AI score0.00434EPSS

CVE•added 2013/11/20 2:12 p.m.•33 views

CVE-2013-6823

GRMGApp in SAP NetWeaver allows remote attackers to bypass intended access restrictions via unspecified vectors.

6.4CVSS6.9AI score0.00178EPSS