CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33001 – Denial of service (DOS) in SAP NetWeaver and ABAP platform
https://notcve.org/view.php?id=CVE-2024-33001
11 Jun 2024 — SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application. La plataforma SAP NetWeaver y ABAP permite a un atacante impedir el rendimiento de usuarios legítimos bloqueando o inundando el servicio. Un impacto de... • https://me.sap.com/notes/3453170 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34687 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-34687
14 May 2024 — SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system. SAP Ne... • https://me.sap.com/notes/3448445 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-30218 – Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-30218
09 Apr 2024 — The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability. El servidor de aplicaciones ABAP de SAP NetWeaver, así como la plataforma ABAP, permiten a un atacante impedir que usuarios legítimos accedan a un servicio, ya sea bloqueando o inundando el servicio. Esto tiene un impacto considerable en la disponibilidad. The ABAP Applic... • https://me.sap.com/notes/3359778 • CWE-400: Uncontrolled Resource Consumption CWE-605: Multiple Binds to the Same Port •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27899 – Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
https://notcve.org/view.php?id=CVE-2024-27899
09 Apr 2024 — Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability. Self-Registration and Modify your own profile en User Admin Application de NetWeaver AS Java no exige requisitos de seguridad adecuados para el contenido de la respuesta de seguridad reci... • https://me.sap.com/notes/3434839 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27898 – Server-Side Request Forgery in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2024-27898
09 Apr 2024 — SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality. La aplicación SAP NetWeaver, debido a una validación de entrada insuficiente, permite a un atacante enviar una solicitud manipulada desde una aplic... • https://me.sap.com/notes/3425188 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25645 – Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal)
https://notcve.org/view.php?id=CVE-2024-25645
12 Mar 2024 — Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, SAP NetWeaver (Enterprise Portal): la versión 7.50 permite a un atacante acceder a información que de otro modo estaría restringida, lo que causa un impacto bajo en la confidencialidad de la aplicación y sin im... • https://me.sap.com/notes/3428847 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28163 – Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages)
https://notcve.org/view.php?id=CVE-2024-28163
12 Mar 2024 — Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, las páginas web de soporte de SAP NetWeaver Process Integration (PI), versiones 7.50, permiten a un atacante acceder a información que de otro modo estaría restringida, lo que causa un bajo impacto en l... • https://me.sap.com/notes/3434192 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27902 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)
https://notcve.org/view.php?id=CVE-2024-27902
12 Mar 2024 — Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system Las aplicaciones basadas en SAP GUI para HTML en SAP NetWeaver AS ABAP (versiones 7.89, 7.93) no codifican suficientemente las ent... • https://me.sap.com/notes/3377979 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22127 – Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in)
https://notcve.org/view.php?id=CVE-2024-22127
12 Mar 2024 — SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application. SAP NetWeaver Administrator AS Java (complemento Administrator Log Viewer): versión 7.50, permite a un atacante con altos privilegios cargar archivos potenci... • https://me.sap.com/notes/3433192 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24743 – XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)
https://notcve.org/view.php?id=CVE-2024-24743
13 Feb 2024 — SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. SAP NetWeaver AS Java (CAF - Procedimientos guiados): versión 7.50, permite a un atacante no autenticado enviar una solicitud maliciosa con un archivo XML manipulado a través de... • https://me.sap.com/notes/3426111 • CWE-611: Improper Restriction of XML External Entity Reference •