CVSS: 5.3EPSS: 0%CPEs: 14EXPL: 0CVE-2021-40495
https://notcve.org/view.php?id=CVE-2021-40495
There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform. Se presentan múltiples vulnerabilidades de denegación de servicio en SAP NetWeaver Application Server for ABAP y ABAP Platform - versiones 740, 750, 751, 752, 753, 754, 755. Un atacante no autorizado puede usar el servicio público SICF /sap/public/bc/abap para reducir el rendimiento de SAP NetWeaver Application Server ABAP y ABAP Platform • https://launchpad.support.sap.com/#/notes/3099011 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 •
CVSS: 7.5EPSS: 0%CPEs: 26EXPL: 0CVE-2021-38181
https://notcve.org/view.php?id=CVE-2021-38181
SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. SAP NetWeaver AS ABAP y ABAP Platform - versiones 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, permite a un atacante impedir que los usuarios legítimos accedan a un servicio, ya sea al bloquear o inundar el servicio • https://launchpad.support.sap.com/#/notes/3080710 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33705
https://notcve.org/view.php?id=CVE-2021-33705
The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability. El componente Iviews Editor del SAP NetWeaver Portal, versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, contiene una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) que permite a un atacante no autenticado diseñar una URL maliciosa que cuando un usuario hace clic en él puede hacer cualquier tipo de petición (por ejemplo, POST, GET) a cualquier servidor interno o externo. Esto puede resultar en el acceso o la modificación de los datos accesibles desde el Portal, pero no afectará a su disponibilidad • http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html http://seclists.org/fulldisclosure/2022/Jan/72 https://launchpad.support.sap.com/#/notes/3074844 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2021-33691
https://notcve.org/view.php?id=CVE-2021-33691
NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. If the victim has an active session when the crafted script gets executed, the threat actor could compromise information in victims session, and gain access to some sensitive information also. NWDI Notification Service versiones - 7.31, 7.40, 7.50, no codifican suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS). SAP NetWeaver Development Infrastructure Notification Service permite a un actor de la amenaza enviar scripts diseñados a una víctima. Si la víctima presenta una sesión activa cuando el script diseñado es ejecutado, el actor de la amenaza podría comprometer la información en la sesión de las víctimas, y conseguir acceso a alguna información confidencial también • https://launchpad.support.sap.com/#/notes/3073450 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 53%CPEs: 6EXPL: 1CVE-2021-33690
https://notcve.org/view.php?id=CVE-2021-33690
Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet. Se ha detectado una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en SAP NetWeaver Development Infrastructure Component Build Service versiones - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP NetWeaver Development Infrastructure Component Build Service permite a un actor de la amenaza que tenga acceso al servidor llevar a cabo ataques proxy en el servidor mediante el envío de consultas diseñadas. Debido a esto, el actor de la amenaza podría comprometer completamente los datos confidenciales que residen en el servidor e impactar en su disponibilidad. • https://github.com/redrays-io/CVE-2021-33690 https://launchpad.support.sap.com/#/notes/3072955 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-918: Server-Side Request Forgery (SSRF) •