CVE-2021-33707
https://notcve.org/view.php?id=CVE-2021-33707
SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and integrity. SAP NetWeaver Knowledge Management, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y conducir ataques de phishing por medio de una URL almacenada en un componente. Esto podría permitir al atacante comprometer la confidencialidad e integridad del usuario • http://packetstormsecurity.com/files/165748/SAP-Enterprise-Portal-Open-Redirect.html http://seclists.org/fulldisclosure/2022/Jan/73 https://launchpad.support.sap.com/#/notes/3076399 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2021-33687
https://notcve.org/view.php?id=CVE-2021-33687
SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. SAP NetWeaver AS JAVA (Enterprise Portal), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, revela información confidencial en una de sus peticiones HTTP, un atacante puede usar esto en conjunto con otros ataques como de tipo XSS para robar esta información • http://packetstormsecurity.com/files/164600/SAP-Enterprise-Portal-Sensitive-Data-Disclosure.html http://seclists.org/fulldisclosure/2021/Oct/32 https://launchpad.support.sap.com/#/notes/3059764 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-33670
https://notcve.org/view.php?id=CVE-2021-33670
SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability. SAP NetWeaver AS for Java (Http Service Monitoring Filter), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante enviar múltiples peticiones HTTP con diferentes tipos de métodos, bloqueando así el filtro y haciendo que el servidor HTTP no esté disponible para otros usuarios legítimos, conllevando a una vulnerabilidad denegación de servicio • http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html http://seclists.org/fulldisclosure/2022/May/4 https://launchpad.support.sap.com/#/notes/3056652 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 •
CVE-2021-33671
https://notcve.org/view.php?id=CVE-2021-33671
SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data. SAP NetWeaver Guided Procedures (Administration Workset), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, no lleva a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios. El impacto de la falta de autorización podría resultar en el abuso de la funcionalidad restringida a un grupo de usuarios en particular, y podría permitir a usuarios no autorizados a leer, modificar o eliminar los datos restringidos • https://launchpad.support.sap.com/#/notes/3059446 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 • CWE-862: Missing Authorization •
CVE-2021-27635
https://notcve.org/view.php?id=CVE-2021-27635
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity. SAP NetWeaver AS para JAVA, versiones - 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante autenticado como administrador conectarse a través de una red y enviar un archivo XML especialmente diseñado en la aplicación debido a que falta la comprobación XML; esta vulnerabilidad habilita al atacante comprometer completamente la confidencialidad al permitirles leer cualquier archivo en el sistema de archivos o comprometer completamente la disponibilidad al causar que el sistema se bloquee. El ataque no puede ser usado para cambiar ningún dato, de modo que no se comprometa la integridad • http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html http://seclists.org/fulldisclosure/2021/Oct/28 https://launchpad.support.sap.com/#/notes/3053066 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-611: Improper Restriction of XML External Entity Reference •