CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 4CVE-2016-3974 – SAP NetWeaver AS JAVA 7.1 < 7.5 - 'ctcprotocol Servlet' XML External Entity
https://notcve.org/view.php?id=CVE-2016-3974
07 Apr 2016 — XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994. Vulnerabilidad de XXE en Configuration Wizard en SAP NetWeaver Java AS 7.1 hasta la versión 7.5 permite a atacantes remotos provocar una denegación de servicio, llevar a cabo ataques S... • https://packetstorm.news/files/id/137527 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2016-3975 – SAP NetWeaver AS JAVA 7.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-3975
07 Apr 2016 — Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375. Vulnerabilidad de XSS en SAP NetWeaver AS Java 7.1 hasta la versión 7.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro navigationT... • https://packetstorm.news/files/id/137529 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 22%CPEs: 1EXPL: 8CVE-2016-2386 – SAP NetWeaver SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2016-2386
16 Feb 2016 — SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. Vulnerabilidad de inyección SQL en el servidor UDDI en SAP NetWeaver J2EE Engine 7.40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados, también conocida como SAP Security Note 2101079. SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from a remote SQL injection... • https://packetstorm.news/files/id/145860 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 7CVE-2016-2388 – SAP NetWeaver Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2016-2388
16 Feb 2016 — The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. El Universal Worklist Configuration en SAP NetWeaver AS JAVA 7.4 permite a los atacantes remotos obtener información sensible de los usuarios a través de una solicitud HTTP manipulada, también conocida como SAP Security Note 2256846 SAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from an information disclosure vulnerab... • https://packetstorm.news/files/id/145860 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2015-4158
https://notcve.org/view.php?id=CVE-2015-4158
02 Jun 2015 — SAP ABAP & Java Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2121661. SAP ABAP & Java Server permite a atacantes remotos causar una denegación de servicio (terminación de servicio) a través de vectores no especificado, también conocido como la nota de seguridad de SAP 2121661. • http://seclists.org/fulldisclosure/2015/May/96 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4091
https://notcve.org/view.php?id=CVE-2015-4091
26 May 2015 — XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851. Vulnerabilidad de XXE en SAP NetWeaver AS Java 7.4 permite a atacantes remotos enviar peticiones TCP a servidores intranet o posiblemente tener otro impacto no especificado a través de una petición XML a tc~sld~wd~main/Main, relacionado ... • http://packetstormsecurity.com/files/133122/SAP-NetWeaver-AS-Java-XXE-Injection.html •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 4CVE-2015-2278 – SAP LZC/LZH Compression Denial of Service
https://notcve.org/view.php?id=CVE-2015-2278
13 May 2015 — The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. La implementación LZH decompression ... • http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 4CVE-2015-2282 – SAP LZC/LZH Compression Denial of Service
https://notcve.org/view.php?id=CVE-2015-2282
13 May 2015 — Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. Desbordamiento de buffer ... • http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8590
https://notcve.org/view.php?id=CVE-2014-8590
04 Nov 2014 — XML external entity (XXE) vulnerability in the Web Service Navigator in SAP NetWeaver Application Server (AS) Java allows remote attackers to access arbitrary files via a crafted request. Vulnerabilidad de entidad externa XML (XXE) en Web Service Navigator en SAP NetWeaver Application Server (AS) Java permite a atacantes remotos acceder a ficheros arbitrarios a través de una solicitud manipulada. • http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3133
https://notcve.org/view.php?id=CVE-2014-3133
30 Apr 2014 — SAP Netweaver Java Application Server does not properly restrict access, which allows remote attackers to obtain the list of SAP systems registered on an SLD via an unspecified webdynpro, related to SystemSelection. SAP Netweaver Java Application Server no restringe debidamente acceso, lo que permite a atacantes remotos obtener la lista de sistemas SAP registrados en un SLD a través de un webdynpro no especificado, relacionado con SystemSelection. • http://scn.sap.com/docs/DOC-8218 • CWE-264: Permissions, Privileges, and Access Controls •