CVE-2019-0351
https://notcve.org/view.php?id=CVE-2019-0351
A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the product to terminate. Se presenta una vulnerabilidad de ejecución de código remota en SAP NetWeaver UDDI Server (Services Registry), versiones 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Debido a esto, un atacante puede explotar el Services Registry potencialmente permitiéndoles tomar el control completo del producto, incluyendo visualizar, cambiar o eliminar datos mediante la inyección de código en la memoria de trabajo que posteriormente es ejecutada por la aplicación. • https://launchpad.support.sap.com/#/notes/2800779 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 •
CVE-2019-0345
https://notcve.org/view.php?id=CVE-2019-0345
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. Un atacante remoto no autenticado puede abusar de un servicio web en SAP NetWeaver Application Server for Java (Administrator System Overview), versiones 7.30, 7.31, 7.40, 7.50, enviando un archivo XML especialmente diseñado y engañando al servidor de aplicaciones al filtrar credenciales de autenticación para su propia consola de SAP Management, resultando en un ataque de tipo Server-Side Request Forgery. • https://launchpad.support.sap.com/#/notes/2813811 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2019-0337
https://notcve.org/view.php?id=CVE-2019-0337
Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious scripts in the url thereby resulting in Reflected Cross-Site Scripting (XSS) vulnerability Java Proxy Runtime de SAP NetWeaver Process Integration, versiones 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario y permite a un atacante ejecutar scripts maliciosos en la url, de este modo resulta en una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado. • https://launchpad.support.sap.com/#/notes/2789866 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-0328
https://notcve.org/view.php?id=CVE-2019-0328
ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights. An attacker could thereby impact the integrity and availability of the system. ABAP Tests Modules (SAP Basis, versiones 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) de SAP NetWeaver Process Integration, permiten a un atacante la ejecución de comandos del sistema operativo con derechos privilegiados. Un atacante podría afectar la integridad y disponibilidad del sistema. • http://www.securityfocus.com/bid/109067 https://launchpad.support.sap.com/#/notes/2774489 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-0327
https://notcve.org/view.php?id=CVE-2019-0327
SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. SAP NetWeaver para Java Application Server - Web Container, (engineapi, versiones 7.1, 7.2, 7.3, 7.31, 7.4 y 7.5), (servercode, versiones 7.2, 7.3, 7.31, 7.4, 7.5), permiten a un atacante cargar archivos (incluyendo archivos de script) sin la comprobación apropiada del formato del archivo. • http://www.securityfocus.com/bid/109071 https://launchpad.support.sap.com/#/notes/2777910 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 • CWE-434: Unrestricted Upload of File with Dangerous Type •