CVSS: 6.3EPSS: 0%CPEs: 13EXPL: 0CVE-2024-33005 – Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java),SAP Web Dispatcher and SAP Content Server
https://notcve.org/view.php?id=CVE-2024-33005
Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications. • https://me.sap.com/notes/3438085 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 1%CPEs: 8EXPL: 0CVE-2009-4603
https://notcve.org/view.php?id=CVE-2009-4603
Unspecified vulnerability in sapstartsrv.exe in the SAP Kernel 6.40, 7.00, 7.01, 7.10, 7.11, and 7.20, as used in SAP NetWeaver 7.x and SAP Web Application Server 6.x and 7.x, allows remote attackers to cause a denial of service (Management Console shutdown) via a crafted request. NOTE: some of these details are obtained from third party information. vulnerabilidad inespecífica en sapstartsrv.exe en el kernel SAP v6.40, v7.00, v7.01, v7.10, v7.11, y v7.20, tal y como se utiliza en SAP NetWeaver v7.x y SAP Web Application Server v6.x y v7.x, permite a atacantes remotos producir una denegación de servicio (apagado de la consola de administración) a través de una petición manipulada. • http://secunia.com/advisories/37684 http://www.cybsec.com/vuln/CYBSEC_SAP_sapstartsrv_DoS.pdf http://www.securityfocus.com/bid/37286 http://www.securitytracker.com/id?1023319 https://service.sap.com/sap/support/notes/1302231 •
CVSS: 4.3EPSS: 86%CPEs: 3EXPL: 2CVE-2008-2421 – SAP Web Application Server 7.0 - '/sap/bc/gui/sap/its/webgui/' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-2421
Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under bc/gui/sap/its/webgui/. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en Web GUI en SAP Web Aplication Server (WAS) 7.0, Web Dynpro para ABAP (también conocido como WD4A o WDA), y Web Dynpro para BSP permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de PATH_INFO a la URI por defecto bajo bc/gui/sap/its/webgui/. • https://www.exploit-db.com/exploits/31816 http://secunia.com/advisories/30334 http://www.securityfocus.com/archive/1/492376/100/0/threaded http://www.securityfocus.com/bid/29317 http://www.securitytracker.com/id?1020097 http://www.vupen.com/english/advisories/2008/1599/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42724 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 4%CPEs: 7EXPL: 0CVE-2007-3615
https://notcve.org/view.php?id=CVE-2007-3615
Internet Communication Manager (aka ICMAN.exe or ICM) in SAP NetWeaver Application Server 6.x and 7.x, possibly only on Windows, allows remote attackers to cause a denial of service (process crash) via a URI of a certain length that contains a sap-isc-key parameter, related to configuration of a web cache. El Internet Communication Manager (también conocido como ICMAN.exe o ICM) en el SAP NetWeaver Application Server 6.x y 7.x, posiblemente sólo bajo Windows, permite a atacantes remotos provocar una denegación de servicio (caída del proceso) a través de un URI de cierta longitud que contenga el parámetro sap-isc-key, relacionado con la configuración del caché de la web. • http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0105.html http://osvdb.org/38095 http://secunia.com/advisories/25964 http://securityreason.com/securityalert/2875 http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-internet-communication-manager-dos http://www.securityfocus.com/archive/1/472890/100/0/threaded http://www.securityfocus.com/bid/24774 http://www.securitytracker.com/id?1018336 http://www.vupen.com/english/advisories/2007/2450 https://exchange.xforce.ibmc •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2006-6011
https://notcve.org/view.php?id=CVE-2006-6011
Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash," a different vulnerability than CVE-2006-5785. Vulnerabilidad no especificada en SAP Web Application Server anterior a 6.40 patch 6 permite a atacantes remotos provocar una denegación de servicio (cierre de enserver.exe) mediante un determinado paquete UDP enviado al puerto 64999, también conocido como "caída UDP de dos bytes"(o "two bytes UDP crash"), una vulnerabilidad distinta de CVE-2006-5785. • http://securityreason.com/securityalert/1889 http://www.securityfocus.com/archive/1/451378/100/0/threaded •