CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41214
https://notcve.org/view.php?id=CVE-2022-41214
08 Nov 2022 — Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una funció... • https://launchpad.support.sap.com/#/notes/3256571 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41212
https://notcve.org/view.php?id=CVE-2022-41212
08 Nov 2022 — Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una función remota habi... • https://launchpad.support.sap.com/#/notes/3256571 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-39799
https://notcve.org/view.php?id=CVE-2022-39799
13 Sep 2022 — An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user. Un atacante sin autenticación previa podría diseñar y enviar un script malicioso a la Interfaz Gráfica de Usuario de SAP para HTML dentro de Fiori Launchpad, resultando en un ataque de tipo cross-site scripting. Esto podría conllevar a un robo de infor... • https://launchpad.support.sap.com/#/notes/3229820 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-35294
https://notcve.org/view.php?id=CVE-2022-35294
13 Sep 2022 — An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user. Un atacante con privilegios básicos de usuario de negocio podría diseñar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego ... • https://launchpad.support.sap.com/#/notes/3218177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2022-29611
https://notcve.org/view.php?id=CVE-2022-29611
11 May 2022 — SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. SAP NetWeaver Application Server for ABAP y ABAP Platform no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3165801 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29610
https://notcve.org/view.php?id=CVE-2022-29610
11 May 2022 — SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack. SAP NetWeaver Application Server ABAP permite que un atacante autenticado cargue archivos maliciosos y elimine (tema) datos, lo que podría resultar en un ataque de tipo Cross-Site Scripting (XSS) Almacenado • https://launchpad.support.sap.com/#/notes/3146336 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27669
https://notcve.org/view.php?id=CVE-2022-27669
12 Apr 2022 — An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges. Un usuario no autenticado puede usar funciones del Servicio de Archivo de Datos XML de SAP NetWeaver Application Server for Java - versión 7.50, cuyo acceso debería estar restringido. Esto puede resultar en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3152442 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26103
https://notcve.org/view.php?id=CVE-2022-26103
08 Mar 2022 — Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. Bajo determinadas condiciones, SAP NetWeaver (Real Time Messaging Framework) - versión 7.50, permite a un atacante acceder a información que podría conllevar a una recopilación de información para otras explotaciones y ataques • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-26102
https://notcve.org/view.php?id=CVE-2022-26102
08 Mar 2022 — Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application. Debido a ... • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2022-22540
https://notcve.org/view.php?id=CVE-2022-22540
09 Feb 2022 — SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible. SAP NetWeaver AS ABAP (Workplace Server) - versiones 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, permite a un atacante ejecutar consultas a la base de dat... • https://launchpad.support.sap.com/#/notes/3140587 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •