CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9562
https://notcve.org/view.php?id=CVE-2016-9562
23 Nov 2016 — SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835. SAP NetWeaver AS JAVA 7.4 permite a atacantes remotos provocar una denegación de servicio (excepción de puntero nulo e interrupción de icman) a través de una petición HTTPS a la URI sap.com~P4TunnelingApp!web/myServlet, vulnerabilidad también conocida como SAP Security Note 2313835. • http://www.securityfocus.com/bid/92418 • CWE-476: NULL Pointer Dereference •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7437 – SAP Netweaver 7.40 Memory Corruption
https://notcve.org/view.php?id=CVE-2016-7437
12 Oct 2016 — SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the SAP Security Audit Log as non-critical, which might allow local users to hide rejected attempts to execute RFC function callbacks by leveraging filtering of non-critical events in audit analysis reports, aka SAP Security Note 2252312. SAP Netweaver 7.40 registra incorrectamente eventos (1) DUI y (2) DUJ en el SAP Security Audit Log como no críticos, lo que podría permitir a usuarios locales ocultar intentos rechazados de ejecutar la rellam... • http://seclists.org/fulldisclosure/2016/Oct/53 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3635 – SAP Netweaver 7.4 UCON Security Protection Bypass
https://notcve.org/view.php?id=CVE-2016-3635
11 Oct 2016 — SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366. SAP Netweaver 7.4 permite a usuarios remotos autenticados eludir una lista de control de acceso Unified Connectivity (UCON) intencionada y ejecutar Remote Function Modules (RFM) arbitrarios a... • http://seclists.org/fulldisclosure/2016/Oct/48 • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 3CVE-2016-7435 – SAP Netweaver 7.40 SP 12 SCTC_REORG_SPOOL OS Command Injection
https://notcve.org/view.php?id=CVE-2016-7435
03 Oct 2016 — The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and (3) SCTC_TMS_MAINTAIN_ALOG functions in the SCTC subpackage in SAP Netweaver 7.40 SP 12 allow remote authenticated users with certain permissions to execute arbitrary commands via vectors involving a CALL 'SYSTEM' statement, aka SAP Security Note 2260344. Las funciones (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV y (3) SCTC_TMS_MAINTAIN_ALOG en el subpaquete SCTC en SAP Netweaver 7.40 SP 12 permiten a usuarios remotos aute... • https://packetstorm.news/files/id/138952 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2387
https://notcve.org/view.php?id=CVE-2016-2387
16 Feb 2016 — Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571. Múltiples vulnerabilidades de XSS en el Java Proxy Runtime ProxyServer servlet en SAP NetWeaver 7.5 permite a atacantes remotos inyectar secuencias de comandos de web o HTML arbitrarios a través de (1) ns o (2) parámetro de interfaz ... • http://packetstormsecurity.com/files/137045/SAP-NetWeaver-AS-JAVA-7.4-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 16%CPEs: 1EXPL: 1CVE-2016-2389 – SAP xMII 15.0 - Directory Traversal
https://notcve.org/view.php?id=CVE-2016-2389
16 Feb 2016 — Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter to /Catalog, aka SAP Security Note 2230978. Vulnerabilidad de salto de directorio en la función GetFileList en el componente SAP Manufacturing Integration and Inteligence (xMII) 15.0 para SAP NetWeaver 7.4 permite a atacantes romotos leer archivos arbitrarios a t... • https://www.exploit-db.com/exploits/39837 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 22%CPEs: 1EXPL: 8CVE-2016-2386 – SAP NetWeaver SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2016-2386
16 Feb 2016 — SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. Vulnerabilidad de inyección SQL en el servidor UDDI en SAP NetWeaver J2EE Engine 7.40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados, también conocida como SAP Security Note 2101079. SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from a remote SQL injection... • https://packetstorm.news/files/id/145860 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2016-1910 – SAP NetWeaver J2EE Engine 7.40 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-1910
15 Jan 2016 — The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. El User Management Engine (UME) en SAP NetWeaver 7.4 permite a atacantes descifrar datos no especificados a través de vectores desconocidos, también conocido como SAP Security Note 2191290. SAP NetWeaver J2EE Engine version 7.40 suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/145860 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1911
https://notcve.org/view.php?id=CVE-2016-1911
15 Jan 2016 — Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Notes 2206793 and 2234918. Múltiples vulnerabilidades de XSS en SAP NetWeaver 7.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con el (1) Runtime Workbench (RWB)... • http://seclists.org/fulldisclosure/2016/Apr/58 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7239 – SAP NetWeaver J2EE Engine 7.40 SQL Injection
https://notcve.org/view.php?id=CVE-2015-7239
18 Sep 2015 — SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el módulo de la función BP_FIND_JOBS_WITH_PROGRAM en SAP NetWeaver J2EE Engine 7.40, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. SAP NetWeaver J2EE engine version 7.40 suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/134801 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •