CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2023-23853
https://notcve.org/view.php?id=CVE-2023-23853
14 Feb 2023 — An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability. • https://launchpad.support.sap.com/#/notes/3271227 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 0%CPEs: 27EXPL: 0CVE-2023-0014 – Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-0014
10 Jan 2023 — SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system. • https://launchpad.support.sap.com/#/notes/3089413 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 6.4EPSS: 0%CPEs: 11EXPL: 0CVE-2023-0013 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-0013
10 Jan 2023 — The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3283283 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2022-29611
https://notcve.org/view.php?id=CVE-2022-29611
11 May 2022 — SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. SAP NetWeaver Application Server for ABAP y ABAP Platform no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3165801 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29610
https://notcve.org/view.php?id=CVE-2022-29610
11 May 2022 — SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack. SAP NetWeaver Application Server ABAP permite que un atacante autenticado cargue archivos maliciosos y elimine (tema) datos, lo que podría resultar en un ataque de tipo Cross-Site Scripting (XSS) Almacenado • https://launchpad.support.sap.com/#/notes/3146336 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 15EXPL: 0CVE-2022-28772
https://notcve.org/view.php?id=CVE-2022-28772
12 Apr 2022 — By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher - versions 7.53, 7.77, 7.81, 7.85, 7.86, or Internet Communication Manager - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, which makes these programs unavailable, leading to denial of service. Mediante valores de entrada demasiado largos, un atacante puede forzar la sobreescritura de la pila interna del programa en SAP Web... • https://launchpad.support.sap.com/#/notes/3111311 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 1%CPEs: 15EXPL: 0CVE-2022-28773
https://notcve.org/view.php?id=CVE-2022-28773
12 Apr 2022 — Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial of service, but can be restarted automatically. Debido a una recursión no controlada en SAP Web Dispatcher y SAP Internet Communication Manager, la aplicación puede bloquearse, conllevando a una denegación de servicio, pero puede reiniciarse automáticamente • https://launchpad.support.sap.com/#/notes/3111293 • CWE-674: Uncontrolled Recursion •
CVSS: 4.9EPSS: 0%CPEs: 15EXPL: 0CVE-2022-22545
https://notcve.org/view.php?id=CVE-2022-22545
09 Feb 2022 — A high privileged user who has access to transaction SM59 can read connection details stored with the destination for http calls in SAP NetWeaver Application Server ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756. Un usuario con altos privilegios que tenga acceso a la transacción SM59 puede leer los detalles de conexión almacenados con el destino de las llamadas http en SAP NetWeaver Application Server ABAP y ABAP Platform - versiones 700, 701, 702... • https://launchpad.support.sap.com/#/notes/3128473 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2022-22540
https://notcve.org/view.php?id=CVE-2022-22540
09 Feb 2022 — SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible. SAP NetWeaver AS ABAP (Workplace Server) - versiones 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, permite a un atacante ejecutar consultas a la base de dat... • https://launchpad.support.sap.com/#/notes/3140587 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 1%CPEs: 12EXPL: 0CVE-2022-22534
https://notcve.org/view.php?id=CVE-2022-22534
09 Feb 2022 — Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application. Debido a una codificación insuficiente de la entrada del usuario, SAP NetWeaver permite a un atacante no autenticado inyectar código que puede exponer datos confidenciales como el ID de usuario y la contrase... • https://launchpad.support.sap.com/#/notes/3124994 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •