CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2387
https://notcve.org/view.php?id=CVE-2016-2387
Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571. Múltiples vulnerabilidades de XSS en el Java Proxy Runtime ProxyServer servlet en SAP NetWeaver 7.5 permite a atacantes remotos inyectar secuencias de comandos de web o HTML arbitrarios a través de (1) ns o (2) parámetro de interfaz para ProxyServer/register, también conocido como SAP Security Note 2220571. • http://packetstormsecurity.com/files/137045/SAP-NetWeaver-AS-JAVA-7.4-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2016/May/39 https://erpscan.io/advisories/erpscan-16-008-sap-netweaver-7-4-proxyserver-servlet-xss-vulnerability https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 5CVE-2016-2388 – SAP NetWeaver Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2016-2388
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. El Universal Worklist Configuration en SAP NetWeaver AS JAVA 7.4 permite a los atacantes remotos obtener información sensible de los usuarios a través de una solicitud HTTP manipulada, también conocida como SAP Security Note 2256846 SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from an information disclosure vulnerability. The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. • https://www.exploit-db.com/exploits/43495 https://www.exploit-db.com/exploits/39841 http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html http://seclists.org/fulldisclosure/2016/May/55 https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 55%CPEs: 1EXPL: 6CVE-2016-2386 – SAP NetWeaver SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2016-2386
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. Vulnerabilidad de inyección SQL en el servidor UDDI en SAP NetWeaver J2EE Engine 7.40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados, también conocida como SAP Security Note 2101079. SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from a remote SQL injection vulnerability. SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. • https://www.exploit-db.com/exploits/43495 https://www.exploit-db.com/exploits/39840 https://github.com/murataydemir/CVE-2016-2386 http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html http://seclists.org/fulldisclosure/2016/May/56 https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review https://github.com/vah13/SAP_exploit • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1911
https://notcve.org/view.php?id=CVE-2016-1911
Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Notes 2206793 and 2234918. Múltiples vulnerabilidades de XSS en SAP NetWeaver 7.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con el (1) Runtime Workbench (RWB) o (2) Pmitest servlet en el Process Monitoring Infrastructure (PMI), vulnerabilidad también también conocida como SAP Security Notes 2206793 y 2234918. • http://seclists.org/fulldisclosure/2016/Apr/58 http://seclists.org/fulldisclosure/2016/Apr/64 https://erpscan.io/advisories/erpscan-16-001-xss-sap-netweaver-7-4-mdt-servlet https://erpscan.io/advisories/erpscan-16-004-sap-netweaver-7-4-pmitest-servlet-xss https://erpscan.io/press-center/blog/sap-security-notes-january-2016-review • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2016-1910 – SAP NetWeaver J2EE Engine 7.40 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-1910
The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. El User Management Engine (UME) en SAP NetWeaver 7.4 permite a atacantes descifrar datos no especificados a través de vectores desconocidos, también conocido como SAP Security Note 2191290. SAP NetWeaver J2EE Engine version 7.40 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/43495 http://seclists.org/fulldisclosure/2016/Apr/60 http://www.securityfocus.com/bid/80920 https://erpscan.io/advisories/erpscan-16-003-sap-netweaver-7-4-cryptographic-issues https://erpscan.io/press-center/blog/sap-security-notes-january-2016-review • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •