CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6319
https://notcve.org/view.php?id=CVE-2020-6319
15 Oct 2020 — SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authentication information of the user, such as data relating to his or her current session and limitedly impact confidentiality and integrity of the application, leading to Reflected Cross Site Scripting. SAP NetWeaver Appli... • https://launchpad.support.sap.com/#/notes/2956398 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6309
https://notcve.org/view.php?id=CVE-2020-6309
12 Aug 2020 — SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service. SAP NetWeaver AS JAVA, versiones - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), no lleva a cabo ninguna comprobación de autenticación para un servicio web permitiendo al atacante enviar varias carga... • https://launchpad.support.sap.com/#/notes/2941315 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6282
https://notcve.org/view.php?id=CVE-2020-6282
14 Jul 2020 — SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. SAP NetWeaver AS JAVA (servici... • https://launchpad.support.sap.com/#/notes/2896025 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2020-6263
https://notcve.org/view.php?id=CVE-2020-6263
10 Jun 2020 — Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass. Los clientes dedicados que se conectan a SAP NetWeaver AS Java por medio del protocolo P4, versiones (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.... • https://launchpad.support.sap.com/#/notes/2878568 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.2EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6224
https://notcve.org/view.php?id=CVE-2020-6224
14 Apr 2020 — SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure. SAP NetWeaver AS Java (HTTP Service), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante con privilegios de administrador acceder a datos confidenciales del usuario, tales como contraseñas... • https://launchpad.support.sap.com/#/notes/2826528 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2020-6202
https://notcve.org/view.php?id=CVE-2020-6202
10 Mar 2020 — SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation. SAP NetWeaver Application Server Java (User Management Engine), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; no comprueba suficientemente el documento XML de configuración de la fuente de datos LDAP aceptado desde una fuente no segura , con... • https://launchpad.support.sap.com/#/notes/2847787 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0391
https://notcve.org/view.php?id=CVE-2019-0391
13 Nov 2019 — Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. Bajo determinadas condiciones, SAP NetWeaver AS Java (corregido en versiones 7.10, 7.20, 7.30, 7.31, 7.40, 7.50), permite a un atacante acceder a información que de otro modo estaría restringida. • https://launchpad.support.sap.com/#/notes/2835226 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0389
https://notcve.org/view.php?id=CVE-2019-0389
13 Nov 2019 — An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise. Un administrador de SAP NetWeaver Application Server Java (J2EE-Framework), (corregido en las versiones 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), puede cambiar los privilegios para todas o algunas funciones en Java Server, y permitir a usuarios ... • https://launchpad.support.sap.com/#/notes/2814357 •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0355
https://notcve.org/view.php?id=CVE-2019-0355
10 Sep 2019 — SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. SAP NetWeaver Application Server Java Web Container, ENGINEAPI (versiones anteriores a 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) y SAP-JEECOR (versiones anteriores a 6.40, 7.0, 7.01), permiten a un atacante in... • https://launchpad.support.sap.com/#/notes/2798336 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0327
https://notcve.org/view.php?id=CVE-2019-0327
10 Jul 2019 — SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. SAP NetWeaver para Java Application Server - Web Container, (engineapi, versiones 7.1, 7.2, 7.3, 7.31, 7.4 y 7.5), (servercode, versiones 7.2, 7.3, 7.31, 7.4, 7.5), permiten a un atacante cargar archivos (incluyendo archivos de script) sin la compro... • http://www.securityfocus.com/bid/109071 • CWE-434: Unrestricted Upload of File with Dangerous Type •