Netweaver Security Vulnerabilities and Issues — Netweaver CVE List

Lucene search

SapNetweaver

8 matches found

CVE•added 2023/07/11 3:15 a.m.•120 views

CVE-2023-36922

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or mo...

9.1CVSS8.7AI score0.00165EPSS

CVE•added 2023/04/11 4:16 a.m.•58 views

CVE-2023-29186

In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. Data cannot be read but if a remote attacker has sufficient (administrative) privileges then potentially critical OS files ...

8.7CVSS6.8AI score0.23296EPSS

CVE•added 2023/06/13 3:15 a.m.•56 views

CVE-2023-32114

SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact ...

2.7CVSS3.8AI score0.00058EPSS

CVE•added 2023/06/13 3:15 a.m.•51 views

CVE-2023-33985

SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information c...

6.1CVSS6AI score0.00399EPSS

CVE•added 2023/09/12 2:15 a.m.•48 views

CVE-2023-41367

Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. On successful exploitation of vulnerability under specific circumstances, attacker can view user’s ...

5.3CVSS5.4AI score0.00188EPSS

CVE•added 2023/03/14 5:15 a.m.•46 views

CVE-2023-0021

Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed ove...

6.1CVSS6.2AI score0.00829EPSS

CVE•added 2023/04/11 3:15 a.m.•38 views

CVE-2023-27499

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure...

6.1CVSS6AI score0.00416EPSS

CVE•added 2023/06/13 3:15 a.m.•35 views

CVE-2023-33984

SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could...

6.4CVSS5.5AI score0.00433EPSS