CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37535
https://notcve.org/view.php?id=CVE-2021-37535
SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. SAP NetWeaver Application Server Java (JMS Connector Service) - versiones 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no realiza las comprobaciones de autorización necesarias para los privilegios de los usuarios • https://launchpad.support.sap.com/#/notes/3078609 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 • CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21489
https://notcve.org/view.php?id=CVE-2021-21489
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content. SAP NetWeaver Enterprise Portal versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifican suficientemente los datos relacionados con el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado. Esto permitiría a un atacante con privilegios administrativos almacenar un script malicioso en el portal. • https://launchpad.support.sap.com/#/notes/3082219 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37531
https://notcve.org/view.php?id=CVE-2021-37531
SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system. SAP NetWeaver Knowledge Management XML Forms versiones - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contienen una vulnerabilidad de tipo XSLT que permite a un atacante autenticado no administrativo diseñar un archivo de hoja de estilo XSL malicioso que contenga un script con comandos a nivel de sistema operativo, copiarlo en una ubicación a la que pueda acceder el sistema y, a continuación, crear un archivo que desencadene el motor XSLT para ejecutar el script contenido en el archivo XSL malicioso. Esto puede resultar en un compromiso total de la confidencialidad, integridad y disponibilidad del sistema • http://packetstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.html http://seclists.org/fulldisclosure/2022/Jan/75 https://launchpad.support.sap.com/#/notes/3081888 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33702
https://notcve.org/view.php?id=CVE-2021-33702
Under certain conditions, NetWeaver Enterprise Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode report data. An attacker can craft malicious data and print it to the report. In a successful attack, a victim opens the report, and the malicious script gets executed in the victim's browser, resulting in a Stored Cross-Site Scripting (XSS) vulnerability. En determinadas condiciones, NetWeaver Enterprise Portal, versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente los datos de los informes. Un atacante puede diseñar datos maliciosos e imprimirlos en el informe. • http://packetstormsecurity.com/files/165737/SAP-Enterprise-Portal-NavigationReporter-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2022/Jan/70 https://launchpad.support.sap.com/#/notes/3073681 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-33703
https://notcve.org/view.php?id=CVE-2021-33703
Under certain conditions, NetWeaver Enterprise Portal, versions - 7.30, 7.31, 7.40, 7.50, does not sufficiently encode URL parameters. An attacker can craft a malicious link and send it to a victim. A successful attack results in Reflected Cross-Site Scripting (XSS) vulnerability. Bajo determinadas condiciones, NetWeaver Enterprise Portal, versiones - 7.30, 7.31, 7.40, 7.50, no codifica suficientemente los parámetros de la URL. Un atacante puede diseñar un enlace malicioso y enviarlo a la víctima. • http://packetstormsecurity.com/files/165740/SAP-Enterprise-Portal-RunContentCreation-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2022/Jan/71 https://launchpad.support.sap.com/#/notes/3072920 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •