CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2025-31331 – Authorization Bypass vulnerability in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2025-31331
08 Apr 2025 — SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality. SAP NetWeaver permite a un atacante eludir las comprobaciones de autorización, lo que le permite ver fragmentos de código ABAP que normalmente requerirían va... • https://me.sap.com/notes/3577131 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30015 – Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)
https://notcve.org/view.php?id=CVE-2025-30015
08 Apr 2025 — Due to incorrect memory address handling in ABAP SQL of SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker with high privileges could execute certain forms of SQL queries leading to manipulation of content in the output variable. This vulnerability has a low impact on the confidentiality, integrity and the availability of the application. Debido a la gestión incorrecta de direcciones de memoria en ABAP SQL de SAP NetWeaver y la plataforma ABAP (Servidor de Aplicaciones ABAP... • https://me.sap.com/notes/3565944 • CWE-787: Out-of-bounds Write •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27428 – Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)
https://notcve.org/view.php?id=CVE-2025-27428
08 Apr 2025 — Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. Upon successful exploitation, they could read files from any managed system connected to SAP Solution Manager, leading to high impact on confidentiality. There is no impact on integrity or availability. Debido a una vulnerabilidad de directory traversal, un atacante autorizado podría acceder a información crítica mediante un módulo de función habilitado para R... • https://me.sap.com/notes/3581811 • CWE-862: Missing Authorization •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-26653 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26653
08 Apr 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim�s browser. Availability is not impacted. SAP NetWeaver Application Server ABAP no codifi... • https://me.sap.com/notes/3559307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-23186 – Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-23186
08 Apr 2025 — In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application. En ciertas circunstancias, SAP NetWeaver Application Server ABAP permit... • https://me.sap.com/notes/3554667 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2025-26659 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26659
11 Mar 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim�s browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There... • https://me.sap.com/notes/3552824 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23190 – Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI)
https://notcve.org/view.php?id=CVE-2025-23190
11 Feb 2025 — Due to missing authorization check, an authenticated attacker could call a remote-enabled function module which allows them to access data that they would otherwise not have access to. The attacker cannot modify data or impact the availability of the system. • https://me.sap.com/notes/3547581 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23189 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-23189
11 Feb 2025 — Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability • https://me.sap.com/notes/3546470 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23187 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-23187
11 Feb 2025 — Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an unauthenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability. • https://me.sap.com/notes/3546470 • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 12EXPL: 0CVE-2025-0070 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-0070
14 Jan 2025 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability. • https://me.sap.com/notes/3537476 • CWE-287: Improper Authentication •