CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28163 – Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages)
https://notcve.org/view.php?id=CVE-2024-28163
12 Mar 2024 — Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, las páginas web de soporte de SAP NetWeaver Process Integration (PI), versiones 7.50, permiten a un atacante acceder a información que de otro modo estaría restringida, lo que causa un bajo impacto en l... • https://me.sap.com/notes/3434192 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37488 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration
https://notcve.org/view.php?id=CVE-2023-37488
08 Aug 2023 — In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system. In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack.... • https://me.sap.com/notes/3350494 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35873 – Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench)
https://notcve.org/view.php?id=CVE-2023-35873
11 Jul 2023 — The Runtime Workbench (RWB) of SAP NetWeaver Process Integration - version SAP_XITOOL 7.50, does not perform authentication checks for certain functionalities that require user identity. An unauthenticated user might access technical data about the product status and its configuration. The vulnerability does not allow access to sensitive information or administrative functionalities. On successful exploitation an attacker can cause limited impact on confidentiality and availability of the application. The R... • https://me.sap.com/notes/3343547 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35872 – Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool)
https://notcve.org/view.php?id=CVE-2023-35872
11 Jul 2023 — The Message Display Tool (MDT) of SAP NetWeaver Process Integration - version SAP_XIAF 7.50, does not perform authentication checks for certain functionalities that require user identity. An unauthenticated user might access technical data about the product status and its configuration. The vulnerability does not allow access to sensitive information or administrative functionalities. On successful exploitation an attacker can cause limited impact on confidentiality and availability of the application. The ... • https://me.sap.com/notes/3343564 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41272
https://notcve.org/view.php?id=CVE-2022-41272
13 Dec 2022 — An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, lead... • https://github.com/redrays-io/CVE-2022-41272 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 9.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41271
https://notcve.org/view.php?id=CVE-2022-41271
13 Dec 2022 — An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to: * Read any infor... • https://launchpad.support.sap.com/#/notes/3267780 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27618
https://notcve.org/view.php?id=CVE-2021-27618
11 May 2021 — The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application. Integration Builder Framework de SAP Process Integration versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no comprueba la extensión del tipo de archivo d... • https://launchpad.support.sap.com/#/notes/3012021 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27617
https://notcve.org/view.php?id=CVE-2021-27617
11 May 2021 — The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document uploaded from local source. An attacker can craft a malicious XML which when uploaded and parsed by the application, could lead to Denial-of-service conditions due to consumption of a large amount of system memory, thus highly impacting system availability. Integration Builder Framework de SAP Process Integration versiones - 7.10, 7.11, 7.20, 7.30, ... • https://launchpad.support.sap.com/#/notes/3012021 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-27599
https://notcve.org/view.php?id=CVE-2021-27599
14 Apr 2021 — SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted. SAP NetWeaver ABAP Server y ABAP Platform (Process Integration - Integration Builder Framework), versiones - 7.10, 7.30, 7.31, 7.40, 7.50, permiten que un atacante acceda a información bajo determinadas condiciones, que de otro modo estarían restringidas • https://launchpad.support.sap.com/#/notes/3012277 •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27604
https://notcve.org/view.php?id=CVE-2021-27604
14 Apr 2021 — In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note. A fin de impedir una vulnerabilidad de XML External Entity en SAP NetWeaver ABAP Server y ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recomienda consultar esta nota • https://launchpad.support.sap.com/#/notes/3036436 • CWE-611: Improper Restriction of XML External Entity Reference •