CVSS: 5.8EPSS: 0%CPEs: 23EXPL: 0CVE-2021-33663
https://notcve.org/view.php?id=CVE-2021-33663
SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application. SAP NetWeaver AS ABAP, versiones - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT, 7.49, KRNL64UC - 8.04,7.22,7.22EXT, 7.49,7.53,7.73, KERNEL - 7.22,8.04 , 7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, permite a un atacante no autorizado insertar comandos de texto sin cifrar debido a una restricción inapropiada del almacenamiento en búfer de E/S en sesiones SMTP cifradas a través de la red, lo que puede impactar parcialmente la integridad de la aplicación • https://launchpad.support.sap.com/#/notes/3030604 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33664
https://notcve.org/view.php?id=CVE-2021-33664
SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Application Server ABAP (Aplicaciones basadas en Web Dynpro ABAP), versiones - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731, no codifica suficientemente las entradas controladas por el usuario, resultando una vulnerabilidad de tipo cross-site scripting (XSS) • https://launchpad.support.sap.com/#/notes/3025604 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 13EXPL: 2CVE-2021-21473 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21473
SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. SAP NetWeaver AS ABAP y ABAP Platform, versiones - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contiene el módulo de función SRM_RFC_SUBMIT_REPORT que no comprueba la autorización de un usuario autenticado por lo tanto permitir a un usuario no autorizado ejecutar reportes en la plataforma SAP NetWeaver ABAP The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/3002517 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21490
https://notcve.org/view.php?id=CVE-2021-21490
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. SAP NetWeaver AS para ABAP (Web Survey), versiones: 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, no codifica suficientemente los parámetros input y output, lo que resulta en una vulnerabilidad de tipo cross site scripting reflejado, mediante el cual un usuario malicioso puede acceder a los datos relacionados con la sesión actual y usarlos para hacerse pasar por un usuario y acceder a toda la información con los mismos derechos que el usuario objetivo • https://launchpad.support.sap.com/#/notes/3004043 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2021-27597
https://notcve.org/view.php?id=CVE-2021-27597
SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method memmove() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver AS para ABAP (RFC Gateway), versiones - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT, 7.49, KRNL64UC - 8.04,7.22,7.22EXT, 7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49 , 7.53,7.73,7.77,7.81,7.82,7.83, permite a un atacante no autenticado sin conocimiento específico del sistema enviar un paquete especialmente diseñado a través de una red que desencadenará un error interno en el sistema debido a una comprobación inapropiada de entrada en el método memmove( ) causando el bloqueo del sistema y hacer que no esté disponible. En este ataque, ningún dato del sistema puede ser visualizado o modificado • https://launchpad.support.sap.com/#/notes/3020209 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-125: Out-of-bounds Read •