14 results (0.005 seconds)

CVSS: 6.3EPSS: 0%CPEs: 13EXPL: 0

Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications. • https://me.sap.com/notes/3438085 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •

CVSS: 5.0EPSS: 1%CPEs: 8EXPL: 0

Unspecified vulnerability in sapstartsrv.exe in the SAP Kernel 6.40, 7.00, 7.01, 7.10, 7.11, and 7.20, as used in SAP NetWeaver 7.x and SAP Web Application Server 6.x and 7.x, allows remote attackers to cause a denial of service (Management Console shutdown) via a crafted request. NOTE: some of these details are obtained from third party information. vulnerabilidad inespecífica en sapstartsrv.exe en el kernel SAP v6.40, v7.00, v7.01, v7.10, v7.11, y v7.20, tal y como se utiliza en SAP NetWeaver v7.x y SAP Web Application Server v6.x y v7.x, permite a atacantes remotos producir una denegación de servicio (apagado de la consola de administración) a través de una petición manipulada. • http://secunia.com/advisories/37684 http://www.cybsec.com/vuln/CYBSEC_SAP_sapstartsrv_DoS.pdf http://www.securityfocus.com/bid/37286 http://www.securitytracker.com/id?1023319 https://service.sap.com/sap/support/notes/1302231 •

CVSS: 4.3EPSS: 86%CPEs: 3EXPL: 2

Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under bc/gui/sap/its/webgui/. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en Web GUI en SAP Web Aplication Server (WAS) 7.0, Web Dynpro para ABAP (también conocido como WD4A o WDA), y Web Dynpro para BSP permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de PATH_INFO a la URI por defecto bajo bc/gui/sap/its/webgui/. • https://www.exploit-db.com/exploits/31816 http://secunia.com/advisories/30334 http://www.securityfocus.com/archive/1/492376/100/0/threaded http://www.securityfocus.com/bid/29317 http://www.securitytracker.com/id?1020097 http://www.vupen.com/english/advisories/2008/1599/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42724 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 4%CPEs: 7EXPL: 0

Internet Communication Manager (aka ICMAN.exe or ICM) in SAP NetWeaver Application Server 6.x and 7.x, possibly only on Windows, allows remote attackers to cause a denial of service (process crash) via a URI of a certain length that contains a sap-isc-key parameter, related to configuration of a web cache. El Internet Communication Manager (también conocido como ICMAN.exe o ICM) en el SAP NetWeaver Application Server 6.x y 7.x, posiblemente sólo bajo Windows, permite a atacantes remotos provocar una denegación de servicio (caída del proceso) a través de un URI de cierta longitud que contenga el parámetro sap-isc-key, relacionado con la configuración del caché de la web. • http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0105.html http://osvdb.org/38095 http://secunia.com/advisories/25964 http://securityreason.com/securityalert/2875 http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-internet-communication-manager-dos http://www.securityfocus.com/archive/1/472890/100/0/threaded http://www.securityfocus.com/bid/24774 http://www.securitytracker.com/id?1018336 http://www.vupen.com/english/advisories/2007/2450 https://exchange.xforce.ibmc •

CVSS: 5.0EPSS: 4%CPEs: 1EXPL: 0

SAP allows remote attackers to obtain potentially sensitive information such as operating system and SAP version via an RFC_SYSTEM_INFO RfcCallReceive request, a different vulnerability than CVE-2003-0747. SAP permite a atacantes remotos obtener información potencialmente sensible tal como la versión de sistema operativo y SAP, mediante una petición RFC_SYSTEM_INFO RfcCallReceive, una vulnerabilidad distinta de CVE-2003-0747. • http://securityreason.com/securityalert/1889 http://www.securityfocus.com/archive/1/451378/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/39997 •