CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27618
https://notcve.org/view.php?id=CVE-2021-27618
The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application. Integration Builder Framework de SAP Process Integration versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no comprueba la extensión del tipo de archivo del archivo cargado desde la fuente local. Un atacante podría crear un archivo malicioso y cargarlo en la aplicación, lo que podría conllevar a la denegación de servicio y afectar la disponibilidad de la aplicación • https://launchpad.support.sap.com/#/notes/3012021 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27601
https://notcve.org/view.php?id=CVE-2021-27601
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. SAP NetWeaver AS Java (Aplicaciones basadas en HTMLB para Java) permite a un atacante autorizado de nivel básico almacenar un archivo malicioso en el servidor. Cuando una víctima intenta abrir este archivo, resulta en una vulnerabilidad de tipo Cross-Site Scripting (XSS) y el atacante puede leer y modificar datos. • https://launchpad.support.sap.com/#/notes/2963592 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21492
https://notcve.org/view.php?id=CVE-2021-21492
SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. SAP NetWeaver Application Server Java (HTTP Service), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no comprueba suficientemente el grupo de inicio de sesión en las URL, resultando en una vulnerabilidad de suplantación de contenido cuando la lista de directorios está habilitada • https://launchpad.support.sap.com/#/notes/3025637 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2021-21491
https://notcve.org/view.php?id=CVE-2021-21491
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. SAP Netweaver Application Server Java (Aplicaciones basadas en WebDynpro Java) versiones 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permiten a un atacante redireccionar a usuarios a un sitio malicioso debido a vulnerabilidades de Reverse Tabnabbing • https://launchpad.support.sap.com/#/notes/2976947 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.6EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21481
https://notcve.org/view.php?id=CVE-2021-21481
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability. MigrationService, que forma parte de SAP NetWeaver versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no lleva a cabo una comprobación de autorización. Esto podría permitir a un atacante no autorizado acceder a los objetos de configuración, incluyendo los que otorgan privilegios administrativos. • https://launchpad.support.sap.com/#/notes/3022422 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 • CWE-863: Incorrect Authorization •