CVE-2018-2435
https://notcve.org/view.php?id=CVE-2018-2435
SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Enterprise Portal desde la versión 7.0 hasta la 7.02, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50, no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/104706 https://launchpad.support.sap.com/#/notes/2643126 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2415
https://notcve.org/view.php?id=CVE-2018-2415
SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed. Java Web Container y HTTP Service en SAP NetWeaver Application Server (Engine API, de la versión 7.10 a la 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40 y 7.50) no cifran lo suficiente entradas controladas por el usuario, lo que resulta en una vulnerabilidad de suplantación de contenido cuando se muestran páginas de error. • http://www.securityfocus.com/bid/104130 https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018 https://launchpad.support.sap.com/#/notes/2550202 • CWE-172: Encoding Error •
CVE-2018-2365
https://notcve.org/view.php?id=CVE-2018-2365
SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Portal y WebDynpro Java 7.30, 7.31, 7.40 y 7.50, no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/102999 https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018 https://launchpad.support.sap.com/#/notes/2547977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2368
https://notcve.org/view.php?id=CVE-2018-2368
SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity. SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31 y 7.40 no realiza comprobaciones de autenticación para funcionalidades que requieren la identidad del usuario. • http://www.securityfocus.com/bid/103000 https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018 https://launchpad.support.sap.com/#/notes/2565622 • CWE-306: Missing Authentication for Critical Function •
CVE-2018-2363
https://notcve.org/view.php?id=CVE-2018-2363
SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials. SAP NetWeaver y SAP BASIS, desde la versión 7.00 hasta la 7.02, desde la 7.10 a la 7.11, 7.30, 7.31, 7.40 y desde la versión 7.50 a la 7.52, contiene código que permite ejecutar código arbitrario del programa a elección del usuario. Un usuario malicioso puede, por lo tanto, controlar el comportamiento del sistema o escalar privilegios mediante la ejecución de código malicioso sin credenciales legítimas. • http://www.securityfocus.com/bid/102449 https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018 https://launchpad.support.sap.com/#/notes/1906212 https://launchpad.support.sap.com/#/notes/2525392 • CWE-94: Improper Control of Generation of Code ('Code Injection') •