Vulnerabilities (CVE)

Filtered by vendor Sap Subscribe
Filtered by product Netweaver Application Server Java
Total 65 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-0345 1 Sap 1 Netweaver Application Server Java 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.
CVE-2019-0327 1 Sap 1 Netweaver Application Server Java 2024-11-21 6.5 MEDIUM 7.2 HIGH
SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation.
CVE-2019-0318 1 Sap 1 Netweaver Application Server Java 2024-11-21 3.5 LOW 5.3 MEDIUM
Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.
CVE-2019-0275 1 Sap 1 Netweaver Application Server Java 2024-11-21 3.5 LOW 5.4 MEDIUM
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.
CVE-2018-2504 1 Sap 1 Netweaver Application Server Java 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.
CVE-2018-2503 1 Sap 1 Netweaver Application Server Java 2024-11-21 3.3 LOW 7.4 HIGH
By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).
CVE-2018-2492 1 Sap 1 Netweaver Application Server Java 2024-11-21 5.5 MEDIUM 7.1 HIGH
SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.
CVE-2018-2452 1 Sap 1 Netweaver Application Server Java 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.
CVE-2017-8913 1 Sap 1 Netweaver Application Server Java 2024-11-21 6.5 MEDIUM 8.8 HIGH
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.
CVE-2017-7717 1 Sap 1 Netweaver Application Server Java 2024-11-21 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
CVE-2017-14581 1 Sap 1 Netweaver Application Server Java 2024-11-21 5.0 MEDIUM 7.5 HIGH
The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181.
CVE-2017-12637 1 Sap 1 Netweaver Application Server Java 2024-11-21 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
CVE-2017-11458 1 Sap 1 Netweaver Application Server Java 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.
CVE-2017-11457 1 Sap 1 Netweaver Application Server Java 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.
CVE-2016-9563 1 Sap 1 Netweaver Application Server Java 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
CVE-2016-9562 1 Sap 1 Netweaver Application Server Java 2024-11-21 5.0 MEDIUM 7.5 HIGH
SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835.
CVE-2016-3976 1 Sap 1 Netweaver Application Server Java 2024-11-21 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
CVE-2016-3975 1 Sap 1 Netweaver Application Server Java 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375.
CVE-2016-3974 1 Sap 1 Netweaver Application Server Java 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994.
CVE-2016-3973 1 Sap 1 Netweaver Application Server Java 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka SAP Security Note 2255990.