CVE-2019-0327
https://notcve.org/view.php?id=CVE-2019-0327
SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. SAP NetWeaver para Java Application Server - Web Container, (engineapi, versiones 7.1, 7.2, 7.3, 7.31, 7.4 y 7.5), (servercode, versiones 7.2, 7.3, 7.31, 7.4, 7.5), permiten a un atacante cargar archivos (incluyendo archivos de script) sin la comprobación apropiada del formato del archivo. • http://www.securityfocus.com/bid/109071 https://launchpad.support.sap.com/#/notes/2777910 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-0275
https://notcve.org/view.php?id=CVE-2019-0275
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability. SAML 1.1 SSO Demo Application en SAP NetWeaCVEr Java Application SerCVEr (J2EE-APPS), desde la CVErsión 7.10 hasta la 7.11 y en CVErsiones 7.20, 7.30, 7.31, 7.40 y 7.50, no codifica suficientemente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/107362 https://launchpad.support.sap.com/#/notes/2689925 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2504
https://notcve.org/view.php?id=CVE-2018-2504
SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. El servicio Java Web Container, de SAP NetWeaver AS, no valida contra una lista blanca la cabecera HTTP del host, lo que puede resultar en una vulnerabilidad de manipulación de la cabecera HTTP del host o de Cross-Site Scripting (XSS). La vulnerabilidad se ha solucionado en las versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50. • http://www.securityfocus.com/bid/106150 https://launchpad.support.sap.com/#/notes/2718993 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2503
https://notcve.org/view.php?id=CVE-2018-2503
By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50). Por defecto, el almacén de claves Java de SAP NetWeaver AS no restringe lo suficiente el acceso a recursos que deberían estar protegidos. Esto ha sido solucionado en SAP NetWeaver AS Java (ServerCore en versiones 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50). • http://www.securityfocus.com/bid/106156 https://launchpad.support.sap.com/#/notes/2658279 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699 • CWE-862: Missing Authorization •
CVE-2018-2452
https://notcve.org/view.php?id=CVE-2018-2452
The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. La aplicación de inicio de sesión de SAP NetWeaver AS Java desde la versión 7.10 hasta la 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50, no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/105325 https://launchpad.support.sap.com/#/notes/2623846 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •