Netweaver Security Vulnerabilities and Issues — Netweaver CVE List

Lucene search

SapNetweaver

11 matches found

CVE•added 2021/09/14 12:15 p.m.•964 views

CVE-2021-38163

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of th...

9.9CVSS8.5AI score0.88319EPSS

CVE•added 2025/05/13 1:15 a.m.•213 views

CVE-2025-42999

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

9.1CVSS9.2AI score0.1876EPSS

CVE•added 2023/07/11 3:15 a.m.•120 views

CVE-2023-36922

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or mo...

9.1CVSS8.7AI score0.00165EPSS

CVE•added 2020/03/10 9:15 p.m.•74 views

CVE-2020-6203

SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs, leading to...

9.1CVSS8.9AI score0.00978EPSS

CVE•added 2020/02/05 11:15 p.m.•65 views

CVE-2011-1517

SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash.

9.8CVSS9.4AI score0.02368EPSS

CVE•added 2017/09/06 9:29 p.m.•52 views

CVE-2015-7241

XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.

9.8CVSS9.3AI score0.27377EPSS

CVE•added 2012/05/15 4:21 a.m.•50 views

CVE-2012-2611

The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet.

9.3CVSS9.4AI score0.77664EPSS

CVE•added 2021/03/09 3:15 p.m.•49 views

CVE-2021-21481

The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in compl...

9.6CVSS8.5AI score0.00156EPSS

CVE•added 2016/04/14 2:59 p.m.•40 views

CVE-2016-4014

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.

9CVSS8.1AI score0.08082EPSS

CVE•added 2016/10/05 4:59 p.m.•36 views

CVE-2016-7435

The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and (3) SCTC_TMS_MAINTAIN_ALOG functions in the SCTC subpackage in SAP Netweaver 7.40 SP 12 allow remote authenticated users with certain permissions to execute arbitrary commands via vectors involving a CALL 'SYSTEM' statement, aka ...

9.1CVSS9AI score0.01213EPSS

CVE•added 2017/04/10 3:59 p.m.•35 views

CVE-2016-10311

Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238.

9.8CVSS9.3AI score0.04067EPSS