CVSS: 4.7EPSS: 0%CPEs: 11EXPL: 0CVE-2018-2415
https://notcve.org/view.php?id=CVE-2018-2415
SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed. Java Web Container y HTTP Service en SAP NetWeaver Application Server (Engine API, de la versión 7.10 a la 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40 y 7.50) no cifran lo suficiente entradas controladas por el usuario, lo que resulta en una vulnerabilidad de suplantación de contenido cuando se muestran páginas de error. • http://www.securityfocus.com/bid/104130 https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018 https://launchpad.support.sap.com/#/notes/2550202 • CWE-172: Encoding Error •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7239 – SAP NetWeaver J2EE Engine 7.40 SQL Injection
https://notcve.org/view.php?id=CVE-2015-7239
SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el módulo de la función BP_FIND_JOBS_WITH_PROGRAM en SAP NetWeaver J2EE Engine 7.40, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. SAP NetWeaver J2EE engine version 7.40 suffers from a remote SQL injection vulnerability. • http://packetstormsecurity.com/files/134801/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Dec/66 http://www.securityfocus.com/archive/1/537109/100/0/threaded https://erpscan.io/advisories/erpscan-15-021-sap-netweaver-7-4-bp_find_jobs_with_program-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •