CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27603
https://notcve.org/view.php?id=CVE-2021-27603
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system. Un módulo de función SPI_WAIT_MILLIS habilitado para RFC en SAP NetWeaver AS ABAP, versiones - 731, 740, 750, permite mantener un proceso de trabajo ocupado durante cualquier período de tiempo. Un atacante podría llamar a este módulo de funciones varias veces para bloquear todos los procesos de trabajo, conllevando a una Denegación de Servicio y afectaría la Disponibilidad del sistema SAP • https://launchpad.support.sap.com/#/notes/3028729 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21446
https://notcve.org/view.php?id=CVE-2021-21446
SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service. SAP NetWeaver AS ABAP, versiones 740, 750, 751, 752, 753, 754, 755, permite a un atacante no autenticado impedir que usuarios legítimos accedan a un servicio, ya sea bloqueando o inundando el servicio, esto presenta un alto impacto en la disponibilidad de el servicio • https://launchpad.support.sap.com/#/notes/3000306 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 •
CVSS: 7.6EPSS: 1%CPEs: 13EXPL: 2CVE-2020-26832 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2020-26832
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable. SAP AS ABAP (SAP Landscape Transformation), versiones - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 y SAP S4 HANA (SAP Landscape Transformation), versiones - 101, 102, 103, 104, 105, permite a un usuario muy privilegiado ejecutar un módulo de función RFC al que debe estar restringido el acceso; sin embargo, debido a una falta de autorización, un atacante puede obtener acceso a información interna confidencial del sistema SAP vulnerable o hacer a sistemas SAP vulnerables no disponibles completamente The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/2993132 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-26835
https://notcve.org/view.php?id=CVE-2020-26835
SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver AS ABAP, versiones - 740, 750, 751, 752, 753, 754, no codifica suficientemente la URL, lo que permite a un atacante ingresar un script java malicioso en la URL que podría ser ejecutado en el navegador, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS) • https://launchpad.support.sap.com/#/notes/2996479 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2020-26818
https://notcve.org/view.php?id=CVE-2020-26818
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure. SAP NetWeaver AS ABAP (Web Dynpro), versiones: 731, 740, 750, 751, 752, 753, 754, 755, 782, permite a un usuario autenticado acceder a los componentes de Web Dynpro, lo que revela información confidencial del sistema que podría de otro modo estar restringido a usuarios altamente privilegiados debido a una falta de autorización, resultando en una Divulgación de Información • https://launchpad.support.sap.com/#/notes/2971954 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 • CWE-862: Missing Authorization •