CVE-2021-27610
https://notcve.org/view.php?id=CVE-2021-27610
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system. SAP NetWeaver ABAP Server y ABAP Platform, versiones - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, no crea información sobre el usuario RFC interno y externo en un formato consistente y distinguible, lo que podría conllevar a una autenticación inapropiada y podría ser explotado por usuarios maliciosos para obtener acceso ilegítimo al sistema • https://launchpad.support.sap.com/#/notes/3007182 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-287: Improper Authentication •
CVE-2021-33664
https://notcve.org/view.php?id=CVE-2021-33664
SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Application Server ABAP (Aplicaciones basadas en Web Dynpro ABAP), versiones - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731, no codifica suficientemente las entradas controladas por el usuario, resultando una vulnerabilidad de tipo cross-site scripting (XSS) • https://launchpad.support.sap.com/#/notes/3025604 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-21473 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21473
SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. SAP NetWeaver AS ABAP y ABAP Platform, versiones - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contiene el módulo de función SRM_RFC_SUBMIT_REPORT que no comprueba la autorización de un usuario autenticado por lo tanto permitir a un usuario no autorizado ejecutar reportes en la plataforma SAP NetWeaver ABAP The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/3002517 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-862: Missing Authorization •
CVE-2021-21490
https://notcve.org/view.php?id=CVE-2021-21490
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. SAP NetWeaver AS para ABAP (Web Survey), versiones: 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, no codifica suficientemente los parámetros input y output, lo que resulta en una vulnerabilidad de tipo cross site scripting reflejado, mediante el cual un usuario malicioso puede acceder a los datos relacionados con la sesión actual y usarlos para hacerse pasar por un usuario y acceder a toda la información con los mismos derechos que el usuario objetivo • https://launchpad.support.sap.com/#/notes/3004043 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27603
https://notcve.org/view.php?id=CVE-2021-27603
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system. Un módulo de función SPI_WAIT_MILLIS habilitado para RFC en SAP NetWeaver AS ABAP, versiones - 731, 740, 750, permite mantener un proceso de trabajo ocupado durante cualquier período de tiempo. Un atacante podría llamar a este módulo de funciones varias veces para bloquear todos los procesos de trabajo, conllevando a una Denegación de Servicio y afectaría la Disponibilidad del sistema SAP • https://launchpad.support.sap.com/#/notes/3028729 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 •