Page 2 of 34 results (0.004 seconds)

CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0

SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data. • https://me.sap.com/notes/3477359 https://url.sap/sapsecuritypatchday • CWE-256: Plaintext Storage of a Password •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability. • https://me.sap.com/notes/3505503 https://url.sap/sapsecuritypatchday • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 15EXPL: 0

Due to insufficient input validation, CRM Blueprint Application Builder Panel of SAP NetWeaver Application Server for ABAP allows an unauthenticated attacker to craft a URL link which could embed a malicious JavaScript. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. • https://me.sap.com/notes/3501359 https://url.sap/sapsecuritypatchday • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0

SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser. • https://me.sap.com/notes/3498221 https://url.sap/sapsecuritypatchday • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 15EXPL: 0

The RFC enabled function module allows a low privileged user to perform various actions, such as modifying the URLs of any user's favourite nodes and workbook ID. There is low impact on integrity and availability of the application. • https://me.sap.com/notes/3488039 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •