CVSS: 9.8EPSS: 1%CPEs: 11EXPL: 3CVE-2022-27668 – SAP SAProuter Improper Access Control
https://notcve.org/view.php?id=CVE-2022-27668
14 Jun 2022 — Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability. Dependiendo de la configuración de la tabla de permisos de ruta en el archivo "sapr... • https://packetstorm.news/files/id/168406 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-28217
https://notcve.org/view.php?id=CVE-2022-28217
13 Jun 2022 — Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by causing system to crash. Alguna parte de SAP NetWeaver (EP Web Page Composer) no valida suficientemente un documento XML aceptado desde una fuente no fiable, lo que permite a un adversario explotar el estacionamiento... • https://launchpad.support.sap.com/#/notes/3148377 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 0CVE-2022-29616
https://notcve.org/view.php?id=CVE-2022-29616
11 May 2022 — SAP Host Agent, SAP NetWeaver and ABAP Platform allow an attacker to leverage logical errors in memory management to cause a memory corruption. SAP Host Agent, SAP NetWeaver y ABAP Platform permiten a un atacante aprovechar errores lógicos en la administración de la memoria para causar una corrupción de memoria • https://launchpad.support.sap.com/#/notes/3145702 • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2022-29611
https://notcve.org/view.php?id=CVE-2022-29611
11 May 2022 — SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. SAP NetWeaver Application Server for ABAP y ABAP Platform no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3165801 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29610
https://notcve.org/view.php?id=CVE-2022-29610
11 May 2022 — SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack. SAP NetWeaver Application Server ABAP permite que un atacante autenticado cargue archivos maliciosos y elimine (tema) datos, lo que podría resultar en un ataque de tipo Cross-Site Scripting (XSS) Almacenado • https://launchpad.support.sap.com/#/notes/3146336 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 21EXPL: 0CVE-2022-27656
https://notcve.org/view.php?id=CVE-2022-27656
11 May 2022 — The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. La interfaz de administración web de SAP Web Dispatcher y de Internet Communication Manager (ICM) no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS) • https://launchpad.support.sap.com/#/notes/3145046 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2022-28215
https://notcve.org/view.php?id=CVE-2022-28215
12 Apr 2022 — SAP NetWeaver ABAP Server and ABAP Platform - versions 740, 750, 787, allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information. SAP NetWeaver ABAP Server y ABAP Platform - versiones 740, 750, 787, permite a un atacante no autenticado redirigir a usuarios a un sitio malicioso debido a la insuficiente comprobación de la URL. Esto podría conllevar a que el usuario fuera engañado para d... • https://launchpad.support.sap.com/#/notes/3165333 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2022-28772
https://notcve.org/view.php?id=CVE-2022-28772
12 Apr 2022 — By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher - versions 7.53, 7.77, 7.81, 7.85, 7.86, or Internet Communication Manager - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, which makes these programs unavailable, leading to denial of service. Mediante valores de entrada demasiado largos, un atacante puede forzar la sobreescritura de la pila interna del programa en SAP Web... • https://launchpad.support.sap.com/#/notes/3111311 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27669
https://notcve.org/view.php?id=CVE-2022-27669
12 Apr 2022 — An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges. Un usuario no autenticado puede usar funciones del Servicio de Archivo de Datos XML de SAP NetWeaver Application Server for Java - versión 7.50, cuyo acceso debería estar restringido. Esto puede resultar en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3152442 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2022-28773
https://notcve.org/view.php?id=CVE-2022-28773
12 Apr 2022 — Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial of service, but can be restarted automatically. Debido a una recursión no controlada en SAP Web Dispatcher y SAP Internet Communication Manager, la aplicación puede bloquearse, conllevando a una denegación de servicio, pero puede reiniciarse automáticamente • https://launchpad.support.sap.com/#/notes/3111293 • CWE-674: Uncontrolled Recursion •