CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41214
https://notcve.org/view.php?id=CVE-2022-41214
08 Nov 2022 — Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una funció... • https://launchpad.support.sap.com/#/notes/3256571 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41212
https://notcve.org/view.php?id=CVE-2022-41212
08 Nov 2022 — Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una función remota habi... • https://launchpad.support.sap.com/#/notes/3256571 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-39799
https://notcve.org/view.php?id=CVE-2022-39799
13 Sep 2022 — An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user. Un atacante sin autenticación previa podría diseñar y enviar un script malicioso a la Interfaz Gráfica de Usuario de SAP para HTML dentro de Fiori Launchpad, resultando en un ataque de tipo cross-site scripting. Esto podría conllevar a un robo de infor... • https://launchpad.support.sap.com/#/notes/3229820 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-35294
https://notcve.org/view.php?id=CVE-2022-35294
13 Sep 2022 — An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user. Un atacante con privilegios básicos de usuario de negocio podría diseñar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego ... • https://launchpad.support.sap.com/#/notes/3218177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2022-29611
https://notcve.org/view.php?id=CVE-2022-29611
11 May 2022 — SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. SAP NetWeaver Application Server for ABAP y ABAP Platform no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3165801 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-26102
https://notcve.org/view.php?id=CVE-2022-26102
08 Mar 2022 — Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application. Debido a ... • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2022-22540
https://notcve.org/view.php?id=CVE-2022-22540
09 Feb 2022 — SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible. SAP NetWeaver AS ABAP (Workplace Server) - versiones 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, permite a un atacante ejecutar consultas a la base de dat... • https://launchpad.support.sap.com/#/notes/3140587 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 95%CPEs: 26EXPL: 3CVE-2022-22536 – SAP Multiple Products HTTP Request Smuggling Vulnerability
https://notcve.org/view.php?id=CVE-2022-22536
09 Feb 2022 — SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system. SAP N... • https://github.com/antx-code/CVE-2022-22536 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 4.3EPSS: 0%CPEs: 28EXPL: 0CVE-2021-42067
https://notcve.org/view.php?id=CVE-2021-42067
14 Jan 2022 — In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible. En SAP NetWeaver AS for ABAP y ABAP Platform - versiones 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, un atacante autenticado como usuario norma... • https://launchpad.support.sap.com/#/notes/3112710 •
CVSS: 7.2EPSS: 0%CPEs: 15EXPL: 0CVE-2021-44235
https://notcve.org/view.php?id=CVE-2021-44235
14 Dec 2021 — Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. Dos métodos de una clase de utilidad en SAP NetWeaver AS ABA... • https://launchpad.support.sap.com/#/notes/3123196 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •