CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0355
https://notcve.org/view.php?id=CVE-2019-0355
SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. SAP NetWeaver Application Server Java Web Container, ENGINEAPI (versiones anteriores a 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) y SAP-JEECOR (versiones anteriores a 6.40, 7.0, 7.01), permiten a un atacante inyectar código que puede ser ejecutado por la aplicación. Un atacante podría de este modo controlar el comportamiento de la aplicación. • https://launchpad.support.sap.com/#/notes/2798336 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0351
https://notcve.org/view.php?id=CVE-2019-0351
A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the product to terminate. Se presenta una vulnerabilidad de ejecución de código remota en SAP NetWeaver UDDI Server (Services Registry), versiones 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Debido a esto, un atacante puede explotar el Services Registry potencialmente permitiéndoles tomar el control completo del producto, incluyendo visualizar, cambiar o eliminar datos mediante la inyección de código en la memoria de trabajo que posteriormente es ejecutada por la aplicación. • https://launchpad.support.sap.com/#/notes/2800779 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-0345
https://notcve.org/view.php?id=CVE-2019-0345
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. Un atacante remoto no autenticado puede abusar de un servicio web en SAP NetWeaver Application Server for Java (Administrator System Overview), versiones 7.30, 7.31, 7.40, 7.50, enviando un archivo XML especialmente diseñado y engañando al servidor de aplicaciones al filtrar credenciales de autenticación para su propia consola de SAP Management, resultando en un ataque de tipo Server-Side Request Forgery. • https://launchpad.support.sap.com/#/notes/2813811 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0337
https://notcve.org/view.php?id=CVE-2019-0337
Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious scripts in the url thereby resulting in Reflected Cross-Site Scripting (XSS) vulnerability Java Proxy Runtime de SAP NetWeaver Process Integration, versiones 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario y permite a un atacante ejecutar scripts maliciosos en la url, de este modo resulta en una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado. • https://launchpad.support.sap.com/#/notes/2789866 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0327
https://notcve.org/view.php?id=CVE-2019-0327
SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. SAP NetWeaver para Java Application Server - Web Container, (engineapi, versiones 7.1, 7.2, 7.3, 7.31, 7.4 y 7.5), (servercode, versiones 7.2, 7.3, 7.31, 7.4, 7.5), permiten a un atacante cargar archivos (incluyendo archivos de script) sin la comprobación apropiada del formato del archivo. • http://www.securityfocus.com/bid/109071 https://launchpad.support.sap.com/#/notes/2777910 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 • CWE-434: Unrestricted Upload of File with Dangerous Type •