CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-11457
https://notcve.org/view.php?id=CVE-2017-11457
25 Jul 2017 — XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. La vulnerabilidad tipo XML external entity (XXE) en componente com.sap.km.cm.ice en SAP NetWeaver AS JAVA versión 7.5 permite a los usuarios identificados remotos leer archivos arbitrarios o conducir ataques de tipo server-side request forger... • http://www.securityfocus.com/bid/97572 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8913
https://notcve.org/view.php?id=CVE-2017-8913
23 May 2017 — The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. El componente VC70RUNTIME de Visual Composer en SAP NetWeaver AS JAVA versión 7.5 permite a los usuarios autenticados remotos conducir ataques de tipo XML External Entity (XXE) por medio de un documento XML creado en un... • https://erpscan.io/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7717
https://notcve.org/view.php?id=CVE-2017-7717
14 Apr 2017 — SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. Vulnerabilidad de inyección de SQL en el método getUserUddiElements en el componente ES UDDI en SAP NetWeaver AS Java 7.4 permite a usuarios autenticados remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados, también conocido como SAP Security No... • http://www.securityfocus.com/bid/100168 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10304
https://notcve.org/view.php?id=CVE-2016-10304
10 Apr 2017 — The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. El componente SAP EP-RUNTIME en SAP NetWeaver AS JAVA 7.5 permite a los usuarios autenticados remotos provocar una denegación de servicio (error de falta de memoria e inestabilidad del servicio) a través de un objeto Java serializado manipulado ... • https://erpscan.io/advisories/erpscan-16-029-sap-netweaver-java-7-5-deserialization-untrusted-user-value-trustmanagementservlet • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9562
https://notcve.org/view.php?id=CVE-2016-9562
23 Nov 2016 — SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835. SAP NetWeaver AS JAVA 7.4 permite a atacantes remotos provocar una denegación de servicio (excepción de puntero nulo e interrupción de icman) a través de una petición HTTPS a la URI sap.com~P4TunnelingApp!web/myServlet, vulnerabilidad también conocida como SAP Security Note 2313835. • http://www.securityfocus.com/bid/92418 • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 84%CPEs: 1EXPL: 0CVE-2016-9563 – SAP NetWeaver XML External Entity (XXE) Vulnerability
https://notcve.org/view.php?id=CVE-2016-9563
23 Nov 2016 — BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. BC-BMT-BPM-DSK en SAP NetWeaver AS JAVA 7.5 permite a usuarios remotos autenticados llevar a cabo ataques XML External Entity (XXE) a través de la URI sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn, vulnerabilidad también conocida como SAP Security Note 2296909. SAP NetWeaver Applicati... • http://www.securityfocus.com/bid/92419 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 44%CPEs: 1EXPL: 0CVE-2010-5326 – SAP NetWeaver Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-5326
13 May 2016 — The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. El Invoker Servlet sobre plataformas SAP NetWeaver Application Server Java, posiblemente en versiones anteriores a 7.3, no requiere autenticación, loq ue permite a atacantes remotos ejecutar código arbitrario a través de una petic... • http://service.sap.com/sap/support/notes/1445998 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8840
https://notcve.org/view.php?id=CVE-2015-8840
08 Apr 2016 — The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. El XML Data Archiving Service (XML DAS) en SAP NetWeaver AS Java no comprueba la autorización, lo que permite a usuarios remotos ... • http://scn.sap.com/community/security/blog/2015/07/15/sap-security-notes-july-2015 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 96%CPEs: 1EXPL: 4CVE-2016-3976 – SAP NetWeaver Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2016-3976
07 Apr 2016 — Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. Vulnerabilidad de salto de directorio en SAP NetWeaver AS Java 7.1 hasta la versión 7.5 permite a atacantes remotos leer archivos arbitrarios a través de ..\ (punto punto barra invertida) en el parámetro fileName para CrashFileDownloadServlet, también conocida como SAP Sec... • https://packetstorm.news/files/id/137528 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2016-3973 – SAP NetWeaver AS JAVA 7.5 Information Disclosure
https://notcve.org/view.php?id=CVE-2016-3973
07 Apr 2016 — The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka SAP Security Note 2255990. La característica de chat en los servicios Real-Time Collaboration (RTC) 7.3 y 7.4 en SAP NetWeaver Java AS 7.1 hasta la versión 7.5 permite a atacantes remotos obtener información sensi... • https://packetstorm.news/files/id/137579 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •