Page 6 of 28 results (0.007 seconds)

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 3

CVE-2016-3974 – SAP NetWeaver AS JAVA 7.1 < 7.5 - 'ctcprotocol Servlet' XML External Entity

https://notcve.org/view.php?id=CVE-2016-3974

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994. Vulnerabilidad de XXE en Configuration Wizard en SAP NetWeaver Java AS 7.1 hasta la versión 7.5 permite a atacantes remotos provocar una denegación de servicio, llevar a cabo ataques SMB Relay o acceder a archivos arbitrarios a través de una petición XML manipulada para _tc~monitoring~webservice~web/ServerNodesWSService, también conocida como SAP Security Note 2235994. SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from an XML external entity injection vulnerability. • https://www.exploit-db.com/exploits/39995 http://packetstormsecurity.com/files/137527/SAP-NetWeaver-AS-JAVA-7.5-XXE-Injection.html http://seclists.org/fulldisclosure/2016/Jun/41 https://erpscan.io/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2

CVE-2016-3975 – SAP NetWeaver AS JAVA 7.5 Cross Site Scripting

https://notcve.org/view.php?id=CVE-2016-3975

Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375. Vulnerabilidad de XSS en SAP NetWeaver AS Java 7.1 hasta la versión 7.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro navigationTarget para irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, también conocida como SAP Security Note 2238375. SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/137529/SAP-NetWeaver-AS-JAVA-7.5-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2016/Jun/42 https://erpscan.io/advisories/erpscan-16-014-sap-netweaver-7-4-navigationurltester https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 5

CVE-2016-2388 – SAP NetWeaver Information Disclosure Vulnerability

https://notcve.org/view.php?id=CVE-2016-2388

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. El Universal Worklist Configuration en SAP NetWeaver AS JAVA 7.4 permite a los atacantes remotos obtener información sensible de los usuarios a través de una solicitud HTTP manipulada, también conocida como SAP Security Note 2256846 SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from an information disclosure vulnerability. The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. • https://www.exploit-db.com/exploits/43495 https://www.exploit-db.com/exploits/39841 http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html http://seclists.org/fulldisclosure/2016/May/55 https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •