![](/assets/img/cve_300x82_sin_bg.png)
CVE-2018-2452
https://notcve.org/view.php?id=CVE-2018-2452
11 Sep 2018 — The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. La aplicación de inicio de sesión de SAP NetWeaver AS Java desde la versión 7.10 hasta la 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50, no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/105325 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2017-14581
https://notcve.org/view.php?id=CVE-2017-14581
19 Sep 2017 — The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. El servicio web Host Control en SAP NetWeaver AS JAVA en sus versiones 7.0 a 7.5 permite que los atacantes remotos provoquen una denegación de servicio (cierre inesperado del servicio) mediante una petición manipulada. Esto también se conoce como SAP Security Note 2389181. • https://erpscan.io/advisories/erpscan-17-030-sap-hostcontrol-remote-dos •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2010-5326 – SAP NetWeaver Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-5326
13 May 2016 — The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. El Invoker Servlet sobre plataformas SAP NetWeaver Application Server Java, posiblemente en versiones anteriores a 7.3, no requiere autenticación, loq ue permite a atacantes remotos ejecutar código arbitrario a través de una petic... • http://service.sap.com/sap/support/notes/1445998 • CWE-306: Missing Authentication for Critical Function •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2016-3976 – SAP NetWeaver Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2016-3976
07 Apr 2016 — Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. Vulnerabilidad de salto de directorio en SAP NetWeaver AS Java 7.1 hasta la versión 7.5 permite a atacantes remotos leer archivos arbitrarios a través de ..\ (punto punto barra invertida) en el parámetro fileName para CrashFileDownloadServlet, también conocida como SAP Sec... • https://packetstorm.news/files/id/137528 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2016-3973 – SAP NetWeaver AS JAVA 7.5 Information Disclosure
https://notcve.org/view.php?id=CVE-2016-3973
07 Apr 2016 — The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka SAP Security Note 2255990. La característica de chat en los servicios Real-Time Collaboration (RTC) 7.3 y 7.4 en SAP NetWeaver Java AS 7.1 hasta la versión 7.5 permite a atacantes remotos obtener información sensi... • https://packetstorm.news/files/id/137579 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2016-3974 – SAP NetWeaver AS JAVA 7.1 < 7.5 - 'ctcprotocol Servlet' XML External Entity
https://notcve.org/view.php?id=CVE-2016-3974
07 Apr 2016 — XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994. Vulnerabilidad de XXE en Configuration Wizard en SAP NetWeaver Java AS 7.1 hasta la versión 7.5 permite a atacantes remotos provocar una denegación de servicio, llevar a cabo ataques S... • https://packetstorm.news/files/id/137527 • CWE-611: Improper Restriction of XML External Entity Reference •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2016-3975 – SAP NetWeaver AS JAVA 7.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-3975
07 Apr 2016 — Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375. Vulnerabilidad de XSS en SAP NetWeaver AS Java 7.1 hasta la versión 7.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro navigationT... • https://packetstorm.news/files/id/137529 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2016-2388 – SAP NetWeaver Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2016-2388
16 Feb 2016 — The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. El Universal Worklist Configuration en SAP NetWeaver AS JAVA 7.4 permite a los atacantes remotos obtener información sensible de los usuarios a través de una solicitud HTTP manipulada, también conocida como SAP Security Note 2256846 SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from an information disclosure vulnerab... • https://packetstorm.news/files/id/145860 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •