CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23854
https://notcve.org/view.php?id=CVE-2023-23854
14 Feb 2023 — SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. • https://launchpad.support.sap.com/#/notes/3287291 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 27EXPL: 0CVE-2023-0014 – Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-0014
10 Jan 2023 — SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system. • https://launchpad.support.sap.com/#/notes/3089413 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2022-29611
https://notcve.org/view.php?id=CVE-2022-29611
11 May 2022 — SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. SAP NetWeaver Application Server for ABAP y ABAP Platform no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3165801 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-26102
https://notcve.org/view.php?id=CVE-2022-26102
08 Mar 2022 — Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application. Debido a ... • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 0CVE-2022-22543
https://notcve.org/view.php?id=CVE-2022-22543
09 Feb 2022 — SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) - versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49, does not sufficiently validate sap-passport information, which could lead to a Denial-of-Service attack. This allows an unauthorized remote user to provoke a breakdown of the SAP Web Dispatcher or Kernel work process. The crashed process can be restarted immediately, other processes are n... • https://launchpad.support.sap.com/#/notes/3116223 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.9EPSS: 0%CPEs: 15EXPL: 0CVE-2022-22545
https://notcve.org/view.php?id=CVE-2022-22545
09 Feb 2022 — A high privileged user who has access to transaction SM59 can read connection details stored with the destination for http calls in SAP NetWeaver Application Server ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756. Un usuario con altos privilegios que tenga acceso a la transacción SM59 puede leer los detalles de conexión almacenados con el destino de las llamadas http en SAP NetWeaver Application Server ABAP y ABAP Platform - versiones 700, 701, 702... • https://launchpad.support.sap.com/#/notes/3128473 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2022-22540
https://notcve.org/view.php?id=CVE-2022-22540
09 Feb 2022 — SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible. SAP NetWeaver AS ABAP (Workplace Server) - versiones 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, permite a un atacante ejecutar consultas a la base de dat... • https://launchpad.support.sap.com/#/notes/3140587 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 28EXPL: 0CVE-2021-42067
https://notcve.org/view.php?id=CVE-2021-42067
14 Jan 2022 — In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible. En SAP NetWeaver AS for ABAP y ABAP Platform - versiones 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, un atacante autenticado como usuario norma... • https://launchpad.support.sap.com/#/notes/3112710 •
CVSS: 7.2EPSS: 0%CPEs: 15EXPL: 0CVE-2021-44235
https://notcve.org/view.php?id=CVE-2021-44235
14 Dec 2021 — Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. Dos métodos de una clase de utilidad en SAP NetWeaver AS ABA... • https://launchpad.support.sap.com/#/notes/3123196 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-44231
https://notcve.org/view.php?id=CVE-2021-44231
14 Dec 2021 — Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. Los informes de extracción de texto usados internamente permiten a un atacante inyectar código que puede ser ejecutado por la aplicación. Un atacante podría así controlar el comportamiento de la aplicación • https://launchpad.support.sap.com/#/notes/3119365 • CWE-94: Improper Control of Generation of Code ('Code Injection') •