Total
61 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26826 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload. | |||||
| CVE-2020-26820 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
| SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it. | |||||
| CVE-2020-6365 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victim or to redirect users to untrusted web pages containing malware or similar malicious exploits. | |||||
| CVE-2021-21491 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||||
| CVE-2020-26816 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 2.7 LOW | 4.5 MEDIUM |
| SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems. | |||||
| CVE-2020-6282 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 5.0 MEDIUM | 5.8 MEDIUM |
| SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. | |||||
| CVE-2020-6224 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 3.5 LOW | 6.2 MEDIUM |
| SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure. | |||||
| CVE-2020-6313 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting. | |||||
| CVE-2020-6263 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass. | |||||
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 10.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | |||||
| CVE-2020-6286 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal. | |||||
| CVE-2020-6309 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 7.8 HIGH | 7.5 HIGH |
| SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service. | |||||
| CVE-2019-0389 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise. | |||||
| CVE-2019-0391 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2020-6202 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation. | |||||
| CVE-2020-6190 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 5.0 MEDIUM | 5.8 MEDIUM |
| Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. | |||||
| CVE-2019-0318 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 3.5 LOW | 5.3 MEDIUM |
| Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0355 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. | |||||
| CVE-2019-0275 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability. | |||||
| CVE-2019-0345 | 1 Sap | 1 Netweaver Application Server Java | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. | |||||