CVSS: 4.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21489
https://notcve.org/view.php?id=CVE-2021-21489
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content. SAP NetWeaver Enterprise Portal versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifican suficientemente los datos relacionados con el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado. Esto permitiría a un atacante con privilegios administrativos almacenar un script malicioso en el portal. • https://launchpad.support.sap.com/#/notes/3082219 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33702
https://notcve.org/view.php?id=CVE-2021-33702
Under certain conditions, NetWeaver Enterprise Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode report data. An attacker can craft malicious data and print it to the report. In a successful attack, a victim opens the report, and the malicious script gets executed in the victim's browser, resulting in a Stored Cross-Site Scripting (XSS) vulnerability. En determinadas condiciones, NetWeaver Enterprise Portal, versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente los datos de los informes. Un atacante puede diseñar datos maliciosos e imprimirlos en el informe. • http://packetstormsecurity.com/files/165737/SAP-Enterprise-Portal-NavigationReporter-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2022/Jan/70 https://launchpad.support.sap.com/#/notes/3073681 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 6EXPL: 0CVE-2021-33687
https://notcve.org/view.php?id=CVE-2021-33687
SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. SAP NetWeaver AS JAVA (Enterprise Portal), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, revela información confidencial en una de sus peticiones HTTP, un atacante puede usar esto en conjunto con otros ataques como de tipo XSS para robar esta información • http://packetstormsecurity.com/files/164600/SAP-Enterprise-Portal-Sensitive-Data-Disclosure.html http://seclists.org/fulldisclosure/2021/Oct/32 https://launchpad.support.sap.com/#/notes/3059764 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33670
https://notcve.org/view.php?id=CVE-2021-33670
SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability. SAP NetWeaver AS for Java (Http Service Monitoring Filter), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante enviar múltiples peticiones HTTP con diferentes tipos de métodos, bloqueando así el filtro y haciendo que el servidor HTTP no esté disponible para otros usuarios legítimos, conllevando a una vulnerabilidad denegación de servicio • http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html http://seclists.org/fulldisclosure/2022/May/4 https://launchpad.support.sap.com/#/notes/3056652 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-33671
https://notcve.org/view.php?id=CVE-2021-33671
SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data. SAP NetWeaver Guided Procedures (Administration Workset), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, no lleva a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios. El impacto de la falta de autorización podría resultar en el abuso de la funcionalidad restringida a un grupo de usuarios en particular, y podría permitir a usuarios no autorizados a leer, modificar o eliminar los datos restringidos • https://launchpad.support.sap.com/#/notes/3059446 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 • CWE-862: Missing Authorization •