Filtered by vendor Sap
Subscriptions
Filtered by product Netweaver Application Server Java
Subscriptions
Total
66 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-26826 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 6.5 Medium |
Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload. | ||||
CVE-2020-6365 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 6.1 Medium |
SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victim or to redirect users to untrusted web pages containing malware or similar malicious exploits. | ||||
CVE-2020-6313 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 6.5 Medium |
SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting. | ||||
CVE-2020-6263 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 9.8 Critical |
Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass. | ||||
CVE-2020-6282 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 5.8 Medium |
SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. | ||||
CVE-2020-6286 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 5.3 Medium |
The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal. | ||||
CVE-2020-6319 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 6.1 Medium |
SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authentication information of the user, such as data relating to his or her current session and limitedly impact confidentiality and integrity of the application, leading to Reflected Cross Site Scripting. | ||||
CVE-2020-6309 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 7.5 High |
SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service. | ||||
CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 10.0 Critical |
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | ||||
CVE-2020-6224 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 6.2 Medium |
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure. | ||||
CVE-2020-6190 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 5.8 Medium |
Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. | ||||
CVE-2020-6202 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 7.2 High |
SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation. | ||||
CVE-2021-37535 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 9.8 Critical |
SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | ||||
CVE-2021-33689 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 4.3 Medium |
When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted. | ||||
CVE-2021-33670 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 7.5 High |
SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability. | ||||
CVE-2021-33687 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 4.9 Medium |
SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. | ||||
CVE-2021-27601 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 5.4 Medium |
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. | ||||
CVE-2021-27598 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 5.3 Medium |
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. | ||||
CVE-2021-21492 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 4.3 Medium |
SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. | ||||
CVE-2021-21491 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 6.1 Medium |
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. |