CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23190 – Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI)
https://notcve.org/view.php?id=CVE-2025-23190
11 Feb 2025 — Due to missing authorization check, an authenticated attacker could call a remote-enabled function module which allows them to access data that they would otherwise not have access to. The attacker cannot modify data or impact the availability of the system. • https://me.sap.com/notes/3547581 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23189 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-23189
11 Feb 2025 — Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability • https://me.sap.com/notes/3546470 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23187 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-23187
11 Feb 2025 — Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an unauthenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability. • https://me.sap.com/notes/3546470 • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 12EXPL: 0CVE-2025-0070 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-0070
14 Jan 2025 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability. • https://me.sap.com/notes/3537476 • CWE-287: Improper Authentication •
CVSS: 6.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-0059 – Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-0059
14 Jan 2025 — Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application. • https://me.sap.com/notes/3503138 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-0057 – Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application)
https://notcve.org/view.php?id=CVE-2025-0057
14 Jan 2025 — SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information within the scope of victim's web browser. • https://me.sap.com/notes/3514421 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0053 – Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-0053
14 Jan 2025 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits. • https://me.sap.com/notes/3536461 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-54198 – Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2024-54198
10 Dec 2024 — In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application. • https://me.sap.com/notes/3469791 • CWE-914: Improper Control of Dynamically-Identified Variables •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47585 – Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-47585
10 Dec 2024 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are distinguished, a single authorization is applied for both, which may contribute to these risks. On successful exploitation, this can result in potential security concerns. However, it has no impact on the integrity and availability of the ap... • https://me.sap.com/notes/3536361 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47580 – Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
https://notcve.org/view.php?id=CVE-2024-47580
10 Dec 2024 — An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability. • https://me.sap.com/notes/3536965 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •