CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1911
https://notcve.org/view.php?id=CVE-2016-1911
Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Notes 2206793 and 2234918. Múltiples vulnerabilidades de XSS en SAP NetWeaver 7.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con el (1) Runtime Workbench (RWB) o (2) Pmitest servlet en el Process Monitoring Infrastructure (PMI), vulnerabilidad también también conocida como SAP Security Notes 2206793 y 2234918. • http://seclists.org/fulldisclosure/2016/Apr/58 http://seclists.org/fulldisclosure/2016/Apr/64 https://erpscan.io/advisories/erpscan-16-001-xss-sap-netweaver-7-4-mdt-servlet https://erpscan.io/advisories/erpscan-16-004-sap-netweaver-7-4-pmitest-servlet-xss https://erpscan.io/press-center/blog/sap-security-notes-january-2016-review • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2016-1910 – SAP NetWeaver J2EE Engine 7.40 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-1910
The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. El User Management Engine (UME) en SAP NetWeaver 7.4 permite a atacantes descifrar datos no especificados a través de vectores desconocidos, también conocido como SAP Security Note 2191290. SAP NetWeaver J2EE Engine version 7.40 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/43495 http://seclists.org/fulldisclosure/2016/Apr/60 http://www.securityfocus.com/bid/80920 https://erpscan.io/advisories/erpscan-16-003-sap-netweaver-7-4-cryptographic-issues https://erpscan.io/press-center/blog/sap-security-notes-january-2016-review • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7239 – SAP NetWeaver J2EE Engine 7.40 SQL Injection
https://notcve.org/view.php?id=CVE-2015-7239
SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el módulo de la función BP_FIND_JOBS_WITH_PROGRAM en SAP NetWeaver J2EE Engine 7.40, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. SAP NetWeaver J2EE engine version 7.40 suffers from a remote SQL injection vulnerability. • http://packetstormsecurity.com/files/134801/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Dec/66 http://www.securityfocus.com/archive/1/537109/100/0/threaded https://erpscan.io/advisories/erpscan-15-021-sap-netweaver-7-4-bp_find_jobs_with_program-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6662 – SAP NetWeaver 7.4 XXE Injection
https://notcve.org/view.php?id=CVE-2015-6662
XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2168485. Vulnerabilidad de entidad externa XML (XXE) en SAP NetWeaver Portal 7.4, permite a atacantes remotos leer archivos arbitrarios o posiblemente tener otro impacto no especificado a través de datos XML manipulados, también conocida como SAP Security Note 2168485. SAP NetWeaver version 7.4 suffers from an XML external entity injection vulnerability. • http://packetstormsecurity.com/files/134507/SAP-NetWeaver-7.4-XXE-Injection.html http://seclists.org/fulldisclosure/2015/Nov/92 http://www.securityfocus.com/archive/1/536957/100/0/threaded https://erpscan.io/advisories/erpscan-15-018-sap-netweaver-7-4-xxe •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2817
https://notcve.org/view.php?id=CVE-2015-2817
The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters, aka SAP Security Note 2091768. La consola de gestión de SAP en SAP NetWeaver 7.40 permite a atacantes remotos obtener información sensible a través de los parámetros ReadProfile, también conocido como la nota de seguridad de SAP 2091768. • http://packetstormsecurity.com/files/132359/SAP-Management-Console-Information-Disclosure.html http://seclists.org/fulldisclosure/2015/Jun/65 http://www.securityfocus.com/archive/1/535829/100/800/threaded http://www.securityfocus.com/bid/73705 https://erpscan.io/advisories/erpscan-15-007-sap-management-console-readprofile-parameters-information-disclosure • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •