CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27898 – Server-Side Request Forgery in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2024-27898
09 Apr 2024 — SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality. La aplicación SAP NetWeaver, debido a una validación de entrada insuficiente, permite a un atacante enviar una solicitud manipulada desde una aplic... • https://me.sap.com/notes/3425188 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25645 – Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal)
https://notcve.org/view.php?id=CVE-2024-25645
12 Mar 2024 — Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, SAP NetWeaver (Enterprise Portal): la versión 7.50 permite a un atacante acceder a información que de otro modo estaría restringida, lo que causa un impacto bajo en la confidencialidad de la aplicación y sin im... • https://me.sap.com/notes/3428847 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28163 – Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages)
https://notcve.org/view.php?id=CVE-2024-28163
12 Mar 2024 — Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, las páginas web de soporte de SAP NetWeaver Process Integration (PI), versiones 7.50, permiten a un atacante acceder a información que de otro modo estaría restringida, lo que causa un bajo impacto en l... • https://me.sap.com/notes/3434192 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27902 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)
https://notcve.org/view.php?id=CVE-2024-27902
12 Mar 2024 — Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system Las aplicaciones basadas en SAP GUI para HTML en SAP NetWeaver AS ABAP (versiones 7.89, 7.93) no codifican suficientemente las ent... • https://me.sap.com/notes/3377979 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25644 – Information Disclosure vulnerability in NetWeaver (WSRM)
https://notcve.org/view.php?id=CVE-2024-25644
12 Mar 2024 — Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, SAP NetWeaver WSRM - versión 7.50, permite que un atacante acceda a información que de otro modo estaría restringida, lo que causa un bajo impacto en la confidencialidad sin ningún impacto en la integridad y disponibilidad de la aplicación. Unde... • https://me.sap.com/notes/3425682 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22127 – Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in)
https://notcve.org/view.php?id=CVE-2024-22127
12 Mar 2024 — SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application. SAP NetWeaver Administrator AS Java (complemento Administrator Log Viewer): versión 7.50, permite a un atacante con altos privilegios cargar archivos potenci... • https://me.sap.com/notes/3433192 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24743 – XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)
https://notcve.org/view.php?id=CVE-2024-24743
13 Feb 2024 — SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. SAP NetWeaver AS Java (CAF - Procedimientos guiados): versión 7.50, permite a un atacante no autenticado enviar una solicitud maliciosa con un archivo XML manipulado a través de... • https://me.sap.com/notes/3426111 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2024-24740 – Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)
https://notcve.org/view.php?id=CVE-2024-24740
13 Feb 2024 — SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application. SAP NetWeaver Application Server (ABAP): versiones KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, bajo ciertas condiciones, permite a un a... • https://me.sap.com/notes/3360827 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22128 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML
https://notcve.org/view.php?id=CVE-2024-22128
13 Feb 2024 — SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation. SAP NWBC para HTML: versiones SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_U... • https://me.sap.com/notes/3396109 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22126 – Cross Site Scripting vulnerability in SAP NetWeaver AS Java (User Admin Application)
https://notcve.org/view.php?id=CVE-2024-22126
13 Feb 2024 — The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability. La aplicación User Admin de SAP NetWeaver AS para Java, versión 7.50, no valida lo suficiente y codifica incorrectamente los parámetros de la URL entrante antes de inclui... • https://me.sap.com/notes/3417627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •