CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0337
https://notcve.org/view.php?id=CVE-2019-0337
Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious scripts in the url thereby resulting in Reflected Cross-Site Scripting (XSS) vulnerability Java Proxy Runtime de SAP NetWeaver Process Integration, versiones 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario y permite a un atacante ejecutar scripts maliciosos en la url, de este modo resulta en una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado. • https://launchpad.support.sap.com/#/notes/2789866 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0328
https://notcve.org/view.php?id=CVE-2019-0328
ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights. An attacker could thereby impact the integrity and availability of the system. ABAP Tests Modules (SAP Basis, versiones 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) de SAP NetWeaver Process Integration, permiten a un atacante la ejecución de comandos del sistema operativo con derechos privilegiados. Un atacante podría afectar la integridad y disponibilidad del sistema. • http://www.securityfocus.com/bid/109067 https://launchpad.support.sap.com/#/notes/2774489 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 7EXPL: 0CVE-2019-0316
https://notcve.org/view.php?id=CVE-2019-0316
SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability. SAP NetWeaver Process Integration, versiones: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50, no valida suficientemente las entradas controladas por el usuario, lo que permite a un atacante que posee privilegios de administrador leer y modificar datos del navegador de la víctima , al inyectar scripts maliciosos en ciertos servlets, que se ejecutarán cuando se engañe a la víctima para que haga clic en esos enlaces maliciosos, lo que da como resultado una vulnerabilidad de Cross Site Scripting reflejada. • https://launchpad.support.sap.com/#/notes/2745917 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2019-0312
https://notcve.org/view.php?id=CVE-2019-0312
Several web pages provided SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 and SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50) are not password protected. An attacker could access landscape information like host names, ports or other technical data in the absence of restrictive firewall and port settings. Varias páginas web proporcionadas SAP NetWeaver Process Integration (versiones: SAP_XIESR: 7.10 a 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 y SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50) no están protegidas con contraseña. Un atacante podría acceder a información horizontal como nombres de host, puertos u otros datos técnicos en ausencia de cortafuegos y configuración de puertos restrictivos • https://launchpad.support.sap.com/#/notes/2744086 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-0315
https://notcve.org/view.php?id=CVE-2019-0315
Under certain conditions the PI Integration Builder Web UI of SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50 and SAP_XIPCK 7.10 to 7.11, 7.20, 7.30) allows an attacker to access passwords used in FTP channels leading to information disclosure. Bajo ciertas condiciones, la interfaz de usuario web de PI Integration Builder de SAP NetWeaver Process Integration (versiones: SAP_XIESR: 7.10 a 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50 y SAP_XIPCK 7.10 a 7.11, 7.20, 7.30) permite a un atacante acceder a las contraseñas utilizadas en los canales FTP que conducen a la divulgación de información. • https://launchpad.support.sap.com/#/notes/2755438 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 •