![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-33665
https://notcve.org/view.php?id=CVE-2021-33665
09 Jun 2021 — SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Application Server ABAP (Aplicaciones basadas en SAP GUI para HTML), versiones - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, no codifica suficientemente las entradas controladas por el usuario,... • https://launchpad.support.sap.com/#/notes/3028370 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-33663
https://notcve.org/view.php?id=CVE-2021-33663
09 Jun 2021 — SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application. SAP NetWeaver AS ABAP, versiones - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7... • https://launchpad.support.sap.com/#/notes/3030604 •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-33664
https://notcve.org/view.php?id=CVE-2021-33664
09 Jun 2021 — SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Application Server ABAP (Aplicaciones basadas en Web Dynpro ABAP), versiones - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731, no codifica suficientemente las entradas controladas por el usuario, resultando una vulnerabilidad de tipo cross-site ... • https://launchpad.support.sap.com/#/notes/3025604 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-27635 – SAP JAVA NetWeaver System Connections XML Injection
https://notcve.org/view.php?id=CVE-2021-27635
09 Jun 2021 — SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to ... • http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html • CWE-611: Improper Restriction of XML External Entity Reference •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-27621
https://notcve.org/view.php?id=CVE-2021-27621
09 Jun 2021 — Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server for Java, versions - 7.11,7.20,7.30,7.31,7.40 and 7.50 allows attackers to access restricted information by entering malicious server name. Una vulnerabilidad de divulgación de información en la aplicación UserAdmin en SAP NetWeaver Application Server para Java, versiones - 7.11,7.20,7.30,7.31,7.40 y 7.50, permite a atacantes acceder a información restringida al ingresar el nombre del servidor malicioso • https://launchpad.support.sap.com/#/notes/3023299 •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-21473 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21473
09 Jun 2021 — SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. SAP NetWeaver AS ABAP y ABAP Platform, versiones - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contiene el módulo de función SRM_RFC_SUBMIT_REPORT que no comprueba la autorizació... • https://packetstorm.news/files/id/167229 • CWE-862: Missing Authorization •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-21490
https://notcve.org/view.php?id=CVE-2021-21490
09 Jun 2021 — SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. SAP NetWeaver AS para ABAP (Web Survey), versiones: 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F,... • https://launchpad.support.sap.com/#/notes/3004043 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-27611
https://notcve.org/view.php?id=CVE-2021-27611
11 May 2021 — SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service. SAP NetWeaver AS ABAP, versiones - 700, 701, 702, 730, 731, permiten a un atacante muy privilegiado inyectar código malicioso al ejecutar un reporte ABAP cuando el atacante tiene acceso al sistema SAP local. El atacante p... • https://launchpad.support.sap.com/#/notes/3046610 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-21485
https://notcve.org/view.php?id=CVE-2021-21485
13 Apr 2021 — An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user. Un atacante no autorizado puede ser capaz de atraer a un administrador para que invoque comandos telnet de SAP NetWeaver Application Server para Java que permitan al atacante obtener hashes NTLM de un usuario privilegiado • https://launchpad.support.sap.com/#/notes/3001824 •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-27601
https://notcve.org/view.php?id=CVE-2021-27601
13 Apr 2021 — SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. SAP NetWeaver AS Java (Aplicaciones basadas en HTMLB para Java) permite a un atacante autorizado de nivel básico almacenar un archivo malicioso en el servidor. ... • https://launchpad.support.sap.com/#/notes/2963592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •