CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27601
https://notcve.org/view.php?id=CVE-2021-27601
13 Apr 2021 — SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. SAP NetWeaver AS Java (Aplicaciones basadas en HTMLB para Java) permite a un atacante autorizado de nivel básico almacenar un archivo malicioso en el servidor. ... • https://launchpad.support.sap.com/#/notes/2963592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27603
https://notcve.org/view.php?id=CVE-2021-27603
13 Apr 2021 — An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system. Un módulo de función SPI_WAIT_MILLIS habilitado para RFC en SAP NetWeaver AS ABAP, versiones - 731, 740, 750, permite mantener un proceso de trabajo ocupado durante cualquier período ... • https://launchpad.support.sap.com/#/notes/3028729 •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21492
https://notcve.org/view.php?id=CVE-2021-21492
13 Apr 2021 — SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. SAP NetWeaver Application Server Java (HTTP Service), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no comprueba suficientemente el grupo de inicio de sesión en las URL, resultando en una vulnerabilidad de suplantación de contenido cuando la lista de directorios es... • https://launchpad.support.sap.com/#/notes/3025637 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21482
https://notcve.org/view.php?id=CVE-2021-21482
13 Apr 2021 — SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. If successful, the attacker could obtain access to highly sensitive data and MDM administrative privileges leading to information disclosure vulnerability thereby affecting the confidentiality and integrity of the application. This happens when security guidelines and recommendations concerning administrative accounts of an ... • https://launchpad.support.sap.com/#/notes/3017908 •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27598
https://notcve.org/view.php?id=CVE-2021-27598
13 Apr 2021 — SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versiones - 7.31, 7.40, 7.50, permite a un atacante leer algunos datos estadísticos como la versión del producto, el tráfico, la marca de tiempo, etc. debido a una falta de comprobación de autorización en el ser... • https://launchpad.support.sap.com/#/notes/3027937 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2021-21491
https://notcve.org/view.php?id=CVE-2021-21491
10 Mar 2021 — SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. SAP Netweaver Application Server Java (Aplicaciones basadas en WebDynpro Java) versiones 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permiten a un atacante redireccionar a usuarios a un sitio malicioso debido a vulnerabilidades de Reverse Tabnabbing • https://launchpad.support.sap.com/#/notes/2976947 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-21488
https://notcve.org/view.php?id=CVE-2021-21488
09 Mar 2021 — Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability. Knowledge Management versiones 7.01, 7.02, 7.30, 7.31, 7.40, 7.50, permiten a un atacante remoto con privilegios básicos deserializar unos datos controlados por el usuario sin comprobación, conllevando a una deserialización no segura qu... • https://launchpad.support.sap.com/#/notes/2983436 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.6EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21481
https://notcve.org/view.php?id=CVE-2021-21481
09 Mar 2021 — The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability. MigrationService, que forma parte de SAP NetWeaver versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no lleva a cabo una comprobación de aut... • https://launchpad.support.sap.com/#/notes/3022422 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21475
https://notcve.org/view.php?id=CVE-2021-21475
09 Feb 2021 — Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs. Due to this Directory Traversal vulnerability the attacker could read content of arbitrary files on the remote server and expose sensitive data. En circunstancias específicas, SAP Master Data Management, versiones - 710, 710.75... • https://launchpad.support.sap.com/#/notes/3000897 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21469
https://notcve.org/view.php?id=CVE-2021-21469
12 Jan 2021 — When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack a... • https://launchpad.support.sap.com/#/notes/2993032 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •