CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-0057 – Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application)
https://notcve.org/view.php?id=CVE-2025-0057
14 Jan 2025 — SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information within the scope of victim's web browser. • https://me.sap.com/notes/3514421 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47580 – Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
https://notcve.org/view.php?id=CVE-2024-47580
10 Dec 2024 — An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability. • https://me.sap.com/notes/3536965 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47579 – Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
https://notcve.org/view.php?id=CVE-2024-47579
10 Dec 2024 — An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability • https://me.sap.com/notes/3536965 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47578 – Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
https://notcve.org/view.php?id=CVE-2024-47578
10 Dec 2024 — Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable. • https://me.sap.com/notes/3536965 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45283 – Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
https://notcve.org/view.php?id=CVE-2024-45283
10 Sep 2024 — SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data. • https://me.sap.com/notes/3477359 • CWE-256: Plaintext Storage of a Password •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45280 – Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application)
https://notcve.org/view.php?id=CVE-2024-45280
10 Sep 2024 — Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability. • https://me.sap.com/notes/3505503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44120 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
https://notcve.org/view.php?id=CVE-2024-44120
10 Sep 2024 — SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser. • https://me.sap.com/notes/3498221 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27899 – Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
https://notcve.org/view.php?id=CVE-2024-27899
09 Apr 2024 — Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability. Self-Registration and Modify your own profile en User Admin Application de NetWeaver AS Java no exige requisitos de seguridad adecuados para el contenido de la respuesta de seguridad reci... • https://me.sap.com/notes/3434839 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27898 – Server-Side Request Forgery in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2024-27898
09 Apr 2024 — SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality. La aplicación SAP NetWeaver, debido a una validación de entrada insuficiente, permite a un atacante enviar una solicitud manipulada desde una aplic... • https://me.sap.com/notes/3425188 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25645 – Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal)
https://notcve.org/view.php?id=CVE-2024-25645
12 Mar 2024 — Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, SAP NetWeaver (Enterprise Portal): la versión 7.50 permite a un atacante acceder a información que de otro modo estaría restringida, lo que causa un impacto bajo en la confidencialidad de la aplicación y sin im... • https://me.sap.com/notes/3428847 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •