CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-33703 – SAP Enterprise Portal RunContentCreation Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-33703
10 Aug 2021 — Under certain conditions, NetWeaver Enterprise Portal, versions - 7.30, 7.31, 7.40, 7.50, does not sufficiently encode URL parameters. An attacker can craft a malicious link and send it to a victim. A successful attack results in Reflected Cross-Site Scripting (XSS) vulnerability. Bajo determinadas condiciones, NetWeaver Enterprise Portal, versiones - 7.30, 7.31, 7.40, 7.50, no codifica suficientemente los parámetros de la URL. Un atacante puede diseñar un enlace malicioso y enviarlo a la víctima. • http://packetstormsecurity.com/files/165740/SAP-Enterprise-Portal-RunContentCreation-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-33707 – SAP Enterprise Portal Open Redirect
https://notcve.org/view.php?id=CVE-2021-33707
10 Aug 2021 — SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and integrity. SAP NetWeaver Knowledge Management, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y conducir ataques de phishing por medio de una URL almacenada en un componente. Esto podría permitir al atacante comprometer la confidencialidad e integr... • http://packetstormsecurity.com/files/165748/SAP-Enterprise-Portal-Open-Redirect.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.9EPSS: 0%CPEs: 6EXPL: 0CVE-2021-33687 – SAP Enterprise Portal Sensitive Data Disclosure
https://notcve.org/view.php?id=CVE-2021-33687
14 Jul 2021 — SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. SAP NetWeaver AS JAVA (Enterprise Portal), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, revela información confidencial en una de sus peticiones HTTP, un atacante puede usar esto en conjunto con otros ataques como de tipo XSS para robar esta información SAP Ent... • http://packetstormsecurity.com/files/164600/SAP-Enterprise-Portal-Sensitive-Data-Disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33689
https://notcve.org/view.php?id=CVE-2021-33689
14 Jul 2021 — When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted. Cuando un usuario con privilegios insuficientes intenta acceder a cualquier aplicación en SAP NetWeaver Administrator (Administrator applications), versión - 7.50, no es creado ningún registro de auditoría de seguridad. Por lo tanto, la integridad del registro de auditoría de ... • https://launchpad.support.sap.com/#/notes/3038594 • CWE-778: Insufficient Logging •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2021-33670 – SAP NetWeaver Java Denial of Service
https://notcve.org/view.php?id=CVE-2021-33670
14 Jul 2021 — SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability. SAP NetWeaver AS for Java (Http Service Monitoring Filter), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante enviar múltiples peticiones HTTP con diferentes ... • http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-33671
https://notcve.org/view.php?id=CVE-2021-33671
14 Jul 2021 — SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data. SAP NetWeaver Guided Procedures (Administration Workset), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7... • https://launchpad.support.sap.com/#/notes/3059446 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2021-27635 – SAP JAVA NetWeaver System Connections XML Injection
https://notcve.org/view.php?id=CVE-2021-27635
09 Jun 2021 — SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to ... • http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27621
https://notcve.org/view.php?id=CVE-2021-27621
09 Jun 2021 — Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server for Java, versions - 7.11,7.20,7.30,7.31,7.40 and 7.50 allows attackers to access restricted information by entering malicious server name. Una vulnerabilidad de divulgación de información en la aplicación UserAdmin en SAP NetWeaver Application Server para Java, versiones - 7.11,7.20,7.30,7.31,7.40 y 7.50, permite a atacantes acceder a información restringida al ingresar el nombre del servidor malicioso • https://launchpad.support.sap.com/#/notes/3023299 •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27618
https://notcve.org/view.php?id=CVE-2021-27618
11 May 2021 — The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application. Integration Builder Framework de SAP Process Integration versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no comprueba la extensión del tipo de archivo d... • https://launchpad.support.sap.com/#/notes/3012021 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27617
https://notcve.org/view.php?id=CVE-2021-27617
11 May 2021 — The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document uploaded from local source. An attacker can craft a malicious XML which when uploaded and parsed by the application, could lead to Denial-of-service conditions due to consumption of a large amount of system memory, thus highly impacting system availability. Integration Builder Framework de SAP Process Integration versiones - 7.10, 7.11, 7.20, 7.30, ... • https://launchpad.support.sap.com/#/notes/3012021 • CWE-20: Improper Input Validation •