CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-40624 – Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)
https://notcve.org/view.php?id=CVE-2023-40624
12 Sep 2023 — SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application. SAP NetWeaver AS ABAP (aplicaciones basadas en renderizado unificado): versiones SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, permite a un a... • https://me.sap.com/notes/3323163 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0CVE-2023-37492 – Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-37492
08 Aug 2023 — SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attac... • https://me.sap.com/notes/3348000 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 15EXPL: 0CVE-2023-36922 – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
https://notcve.org/view.php?id=CVE-2023-36922
11 Jul 2023 — Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system. • https://me.sap.com/notes/3350297 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 3.3EPSS: 0%CPEs: 11EXPL: 0CVE-2023-32114 – Denial of Service in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2023-32114
13 Jun 2023 — SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact on Availability with No impact on Confidentiality and Integrity of the application. • https://launchpad.support.sap.com/#/notes/3325642 • CWE-400: Uncontrolled Resource Consumption CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29186 – Directory/Path Traversal vulnerability in SAP NetWeaver.
https://notcve.org/view.php?id=CVE-2023-29186
11 Apr 2023 — In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. Data cannot be read but if a remote attacker has sufficient (administrative) privileges then potentially critical OS files can be overwritten making the system unavailable. In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the... • https://launchpad.support.sap.com/#/notes/3305907 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 13EXPL: 0CVE-2023-29185 – Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages)
https://notcve.org/view.php?id=CVE-2023-29185
11 Apr 2023 — SAP NetWeaver AS for ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters in certain circumstances which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. • https://launchpad.support.sap.com/#/notes/3303060 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-28763 – Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-28763
11 Apr 2023 — SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. • https://launchpad.support.sap.com/#/notes/3296378 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.6EPSS: 0%CPEs: 14EXPL: 0CVE-2023-27501 – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-27501
14 Mar 2023 — SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity • https://launchpad.support.sap.com/#/notes/3294954 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.6EPSS: 0%CPEs: 13EXPL: 0CVE-2023-27500 – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-27500
14 Mar 2023 — An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable. • https://launchpad.support.sap.com/#/notes/3302162 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-27270 – Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-27270
14 Mar 2023 — SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. • https://launchpad.support.sap.com/#/notes/3296328 • CWE-400: Uncontrolled Resource Consumption •