CVE-2021-21491
https://notcve.org/view.php?id=CVE-2021-21491
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. SAP Netweaver Application Server Java (Aplicaciones basadas en WebDynpro Java) versiones 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permiten a un atacante redireccionar a usuarios a un sitio malicioso debido a vulnerabilidades de Reverse Tabnabbing • https://launchpad.support.sap.com/#/notes/2976947 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2020-6263
https://notcve.org/view.php?id=CVE-2020-6263
Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass. Los clientes dedicados que se conectan a SAP NetWeaver AS Java por medio del protocolo P4, versiones (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11 , 7.20, 7.30, 7.31, 7.40, 7.50), no realiza ninguna comprobación de autenticación para las operaciones que requieren identidad del usuario conllevando a una Omisión de Autenticación • https://launchpad.support.sap.com/#/notes/2878568 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 • CWE-306: Missing Authentication for Critical Function •
CVE-2017-14581
https://notcve.org/view.php?id=CVE-2017-14581
The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. El servicio web Host Control en SAP NetWeaver AS JAVA en sus versiones 7.0 a 7.5 permite que los atacantes remotos provoquen una denegación de servicio (cierre inesperado del servicio) mediante una petición manipulada. Esto también se conoce como SAP Security Note 2389181. • https://erpscan.io/advisories/erpscan-17-030-sap-hostcontrol-remote-dos •
CVE-2010-5326 – SAP NetWeaver Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-5326
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. El Invoker Servlet sobre plataformas SAP NetWeaver Application Server Java, posiblemente en versiones anteriores a 7.3, no requiere autenticación, loq ue permite a atacantes remotos ejecutar código arbitrario a través de una petición HTTP o HTTPS, según se ha explotado activamente desde 2013 hasta 2016, también conocido como un ataque "Detour". SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request. • http://service.sap.com/sap/support/notes/1445998 http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions http://www.securityfocus.com/bid/48925 http://www.securityfocus.com/bid/90533 http://www.us-cert.gov/ncas/alerts/TA16-132A https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applications •