CVSS: 9.9EPSS: 4%CPEs: 6EXPL: 0CVE-2021-37531 – SAP Enterprise Portal XSLT Injection
https://notcve.org/view.php?id=CVE-2021-37531
14 Sep 2021 — SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, a... • http://packetstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-33707 – SAP Enterprise Portal Open Redirect
https://notcve.org/view.php?id=CVE-2021-33707
10 Aug 2021 — SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and integrity. SAP NetWeaver Knowledge Management, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y conducir ataques de phishing por medio de una URL almacenada en un componente. Esto podría permitir al atacante comprometer la confidencialidad e integr... • http://packetstormsecurity.com/files/165748/SAP-Enterprise-Portal-Open-Redirect.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-21488
https://notcve.org/view.php?id=CVE-2021-21488
09 Mar 2021 — Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability. Knowledge Management versiones 7.01, 7.02, 7.30, 7.31, 7.40, 7.50, permiten a un atacante remoto con privilegios básicos deserializar unos datos controlados por el usuario sin comprobación, conllevando a una deserialización no segura qu... • https://launchpad.support.sap.com/#/notes/2983436 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2020-6326
https://notcve.org/view.php?id=CVE-2020-6326
09 Sep 2020 — SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting. SAP NetWeaver (Knowledge Management), versión-7.30,7.31,7.40,7.50, permite a un atacante autenticado crear enlaces maliciosos en la Interfaz de Usuario, cuando la víctima haga clic en él, ejecutará scripts java ar... • https://launchpad.support.sap.com/#/notes/2953112 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-6293
https://notcve.org/view.php?id=CVE-2020-6293
12 Aug 2020 — SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload. SAP NetWeaver (Knowledge Management), versiones - 7.30, 7.31, 7.40, 7.50, permite a un atacante no autenticado cargar un a... • https://launchpad.support.sap.com/#/notes/2938162 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-6284
https://notcve.org/view.php?id=CVE-2020-6284
12 Aug 2020 — SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges. If the accessing user has administrative privileges, then the execution of the script content could result in complete compromise of system confidentiality, integrity and availability, leading to Stored Cross Site Scripting. SAP NetWeaver (Knowledge Management), versiones - 7.30, 7.31, 7.40, 7.50, permite ... • https://launchpad.support.sap.com/#/notes/2928635 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2020-6225
https://notcve.org/view.php?id=CVE-2020-6225
14 Apr 2020 — SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs, allowing the attacker to overwrite, delete, or corrupt arbitrary files on the remote server, leading to Path Traversal. SAP NetWeaver (Knowledge Management), versiones (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7... • https://launchpad.support.sap.com/#/notes/2896682 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-6193
https://notcve.org/view.php?id=CVE-2020-6193
12 Feb 2020 — SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver (Knowledge Management ICE Service), versiones 7.30, 7.31, 7.40, 7.50, permite a un atacante no autenticado ejecutar scripts maliciosos, conllevando a una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejada. • https://launchpad.support.sap.com/#/notes/2873012 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-16678
https://notcve.org/view.php?id=CVE-2017-16678
12 Dec 2017 — Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application. Vulnerabilidad de Server Side Request Forgery (SSRF) en SAP NetWeaver Knowledge Management Configuration Service, EPBC y EPBC2 desde la versión 7.00 hasta la 7.02 y KMC-BC 7.30, 7.31, 7.40 y 7.50, que permite que u... • http://www.securityfocus.com/bid/102149 • CWE-918: Server-Side Request Forgery (SSRF) •