CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0389
https://notcve.org/view.php?id=CVE-2019-0389
13 Nov 2019 — An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise. Un administrador de SAP NetWeaver Application Server Java (J2EE-Framework), (corregido en las versiones 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), puede cambiar los privilegios para todas o algunas funciones en Java Server, y permitir a usuarios ... • https://launchpad.support.sap.com/#/notes/2814357 •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0355
https://notcve.org/view.php?id=CVE-2019-0355
10 Sep 2019 — SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. SAP NetWeaver Application Server Java Web Container, ENGINEAPI (versiones anteriores a 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) y SAP-JEECOR (versiones anteriores a 6.40, 7.0, 7.01), permiten a un atacante in... • https://launchpad.support.sap.com/#/notes/2798336 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0327
https://notcve.org/view.php?id=CVE-2019-0327
10 Jul 2019 — SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. SAP NetWeaver para Java Application Server - Web Container, (engineapi, versiones 7.1, 7.2, 7.3, 7.31, 7.4 y 7.5), (servercode, versiones 7.2, 7.3, 7.31, 7.4, 7.5), permiten a un atacante cargar archivos (incluyendo archivos de script) sin la compro... • http://www.securityfocus.com/bid/109071 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0275
https://notcve.org/view.php?id=CVE-2019-0275
12 Mar 2019 — SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability. SAML 1.1 SSO Demo Application en SAP NetWeaCVEr Java Application SerCVEr (J2EE-APPS), desde la CVErsión 7.10 hasta la 7.11 y en CVErsiones 7.20, 7.30, 7.31, 7.40 y 7.50, no codifica suficientemente las entradas controladas por el usuario, lo que resulta en una... • http://www.securityfocus.com/bid/107362 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2018-2492
https://notcve.org/view.php?id=CVE-2018-2492
11 Dec 2018 — SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50. La funcionalidad de SAML 2.0 en SAP NetWeaver AS Java no valida lo suficiente los documentos XML recibidos de una fuente no fiable. La vulnerabilidad se ha solucionado en las versiones 7.2, 7.30, 7.31, 7.40 y 7.50. • http://www.securityfocus.com/bid/106153 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.4EPSS: 0%CPEs: 6EXPL: 0CVE-2018-2503
https://notcve.org/view.php?id=CVE-2018-2503
11 Dec 2018 — By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50). Por defecto, el almacén de claves Java de SAP NetWeaver AS no restringe lo suficiente el acceso a recursos que deberían estar protegidos. Esto ha sido solucionado en SAP NetWeaver AS Java (ServerCore en versiones 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50). • http://www.securityfocus.com/bid/106156 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2018-2504
https://notcve.org/view.php?id=CVE-2018-2504
11 Dec 2018 — SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. El servicio Java Web Container, de SAP NetWeaver AS, no valida contra una lista blanca la cabecera HTTP del host, lo que puede resultar en una vulnerabilidad de manipulación de la cabecera HTTP del host o de Cross-Site Scripting (XSS). La vulnerabi... • http://www.securityfocus.com/bid/106150 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2018-2452
https://notcve.org/view.php?id=CVE-2018-2452
11 Sep 2018 — The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. La aplicación de inicio de sesión de SAP NetWeaver AS Java desde la versión 7.10 hasta la 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50, no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/105325 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14581
https://notcve.org/view.php?id=CVE-2017-14581
19 Sep 2017 — The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. El servicio web Host Control en SAP NetWeaver AS JAVA en sus versiones 7.0 a 7.5 permite que los atacantes remotos provoquen una denegación de servicio (cierre inesperado del servicio) mediante una petición manipulada. Esto también se conoce como SAP Security Note 2389181. • https://erpscan.io/advisories/erpscan-17-030-sap-hostcontrol-remote-dos •
CVSS: 10.0EPSS: 29%CPEs: 1EXPL: 0CVE-2010-5326 – SAP NetWeaver Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-5326
13 May 2016 — The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. El Invoker Servlet sobre plataformas SAP NetWeaver Application Server Java, posiblemente en versiones anteriores a 7.3, no requiere autenticación, loq ue permite a atacantes remotos ejecutar código arbitrario a través de una petic... • http://service.sap.com/sap/support/notes/1445998 • CWE-306: Missing Authentication for Critical Function •