CVSS: 5.0EPSS: 12%CPEs: 2EXPL: 3CVE-2012-2514 – SAP NetWeaver Dispatcher 7.0 ehp1/2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2514
The DiagiEventSource function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet. La función de DiagiEventSource en disp+work.exe v7010.29.15.58313 y v7200.70.18.23869 en el distribuidor de la plataforma SAP NetWeaver 7.0 EHP1 y EHP2 permite a atacantes remotos causar una denegación de servicio (caída de demonio) a través de un elaborado paquete SAP Diag. • https://www.exploit-db.com/exploits/20705 https://www.exploit-db.com/exploits/18853 http://scn.sap.com/docs/DOC-8218 http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities http://www.securitytracker.com/id?1027052 https://exchange.xforce.ibmcloud.com/vulnerabilities/75456 https://service.sap.com/sap/support/notes/1687910 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2011-1517
https://notcve.org/view.php?id=CVE-2011-1517
SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash. SAP NetWeaver versión 7.0, permite una ejecución de código remota y una denegación de servicio causada por un error en la función DiagTraceHex(). Mediante el envío de un paquete especialmente diseñado, un atacante podría explotar esta vulnerabilidad para causar que la aplicación se bloquee. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0061.html http://www.securityfocus.com/bid/53424 https://exchange.xforce.ibmcloud.com/vulnerabilities/75452 •
CVSS: 4.0EPSS: 1%CPEs: 1EXPL: 2CVE-2012-1289
https://notcve.org/view.php?id=CVE-2012-1289
Multiple directory traversal vulnerabilities in SAP NetWeaver 7.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the logfilename parameter to (1) b2b/admin/log.jsp or (2) b2b/admin/log_view.jsp in the Internet Sales (crm.b2b) component, or (3) ipc/admin/log.jsp or (4) ipc/admin/log_view.jsp in the Application Administration (com.sap.ipc.webapp.ipc) component. Múltiples vulnerabilidades de salto de directorio en la plataforma SAP NetWeaver v7.0 permite a usuarios remotos autenticados leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro logfilename a (1) b2b/admin/log.jsp o (2) b2b/admin/log_view.jsp en las ventas por Internet (crm.b2b), componente, o (3) ipc / admin log / . jsp o (4) los componentes del IPC / admin / log_view.jsp en la Administración de aplicaciones (com.sap.ipc.webapp.ipc) .. • http://dsecrg.com/pages/vul/show.php?id=412 http://dsecrg.com/pages/vul/show.php?id=413 http://secunia.com/advisories/47861 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a http://www.securityfocus.com/bid/52101 https://exchange.xforce.ibmcloud.com/vulnerabilities/73346 https://service.sap.com/sap/support/notes/1585527 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2012-1290
https://notcve.org/view.php?id=CVE-2012-1290
Cross-site scripting (XSS) vulnerability in b2b/auction/container.jsp in the Internet Sales (crm.b2b) module in SAP NetWeaver 7.0 allows remote attackers to inject arbitrary web script or HTML via the _loadPage parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en b2b/auction/container.jsp en las ventas por Internet (crm.b2b) módulo en la plataforma SAP NetWeaver v7.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro _loadPage. • http://dsecrg.com/pages/vul/show.php?id=414 http://secunia.com/advisories/47861 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a http://www.securityfocus.com/bid/52101 https://service.sap.com/sap/support/notes/1583300 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2012-1291
https://notcve.org/view.php?id=CVE-2012-1291
Unspecified vulnerability in the com.sap.aii.mdt.amt.web.AMTPageProcessor servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the Adapter Monitor via unspecified vectors, possibly related to the EnableInvokerServletGlobally property in the servlet_jsp service. Una vulnerabilidad no especificada en el servlet com.sap.aii.mdt.amt.web.AMTPageProcessor en SAP NetWeaver v7.0 permite a atacantes remotos obtener información sensible sobre el "Adapter Monitor" a través de vectores no especificados. Posiblemente la vulnerabilidad esta relacionada con la propiedad EnableInvokerServletGlobally en el servicio servlet_jsp. • http://dsecrg.com/pages/vul/show.php?id=415 http://secunia.com/advisories/47861 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a http://www.securityfocus.com/bid/52101 https://service.sap.com/sap/support/notes/1585527 •