Vulnerabilities > SAP > Netweaver

DATE CVE VULNERABILITY TITLE RISK
2024-01-09 CVE-2024-22124 Unspecified vulnerability in SAP Netweaver
Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality.
network
low complexity
sap
7.5
2023-09-12 CVE-2023-41367 Missing Authentication for Critical Function vulnerability in SAP Netweaver 7.50
Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously.
network
low complexity
sap CWE-306
5.3
2023-07-11 CVE-2023-36922 OS Command Injection vulnerability in SAP Netweaver
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.
network
low complexity
sap CWE-78
8.8
2023-06-13 CVE-2023-32114 Unspecified vulnerability in SAP Netweaver
SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact on Availability with No impact on Confidentiality and Integrity of the application.
network
low complexity
sap
2.7
2023-06-13 CVE-2023-33984 Cross-site Scripting vulnerability in SAP Netweaver 7.50
SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message.
network
low complexity
sap CWE-79
5.4
2023-06-13 CVE-2023-33985 Cross-site Scripting vulnerability in SAP Netweaver 7.50
SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack.
network
low complexity
sap CWE-79
6.1
2023-03-14 CVE-2023-0021 Cross-site Scripting vulnerability in SAP Netweaver
Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting.
network
low complexity
sap CWE-79
6.1
2022-06-13 CVE-2022-28217 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver
Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system?s Availability by causing system to crash.
network
low complexity
sap CWE-918
6.5
2022-04-12 CVE-2022-28772 Out-of-bounds Write vulnerability in SAP Netweaver and web Dispatcher
By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher - versions 7.53, 7.77, 7.81, 7.85, 7.86, or Internet Communication Manager - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, which makes these programs unavailable, leading to denial of service.
network
low complexity
sap CWE-787
5.0
2022-04-12 CVE-2022-28773 Uncontrolled Recursion vulnerability in SAP Netweaver and web Dispatcher
Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial of service, but can be restarted automatically.
network
low complexity
sap CWE-674
7.5