Vulnerabilities > SAP > Netweaver
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-04-24 | CVE-2025-31324 | Unspecified vulnerability in SAP Netweaver 7.50 SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. | 9.8 |
| 2024-04-09 | CVE-2024-27898 | Unspecified vulnerability in SAP Netweaver 7.5 SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. | 5.3 |
| 2024-03-12 | CVE-2024-25644 | Incorrect Permission Assignment for Critical Resource vulnerability in SAP Netweaver 7.50 Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application. | 5.3 |
| 2024-01-09 | CVE-2024-22124 | Unspecified vulnerability in SAP Netweaver Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality. | 7.5 |
| 2023-09-12 | CVE-2023-41367 | Unspecified vulnerability in SAP Netweaver 7.50 Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. | 5.3 |
| 2023-07-11 | CVE-2023-36922 | OS Command Injection vulnerability in SAP Netweaver Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. | 8.8 |
| 2023-06-13 | CVE-2023-32114 | Unspecified vulnerability in SAP Netweaver SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact on Availability with No impact on Confidentiality and Integrity of the application. | 2.7 |
| 2023-06-13 | CVE-2023-33984 | Unspecified vulnerability in SAP Netweaver 7.50 SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. | 5.4 |
| 2023-06-13 | CVE-2023-33985 | Unspecified vulnerability in SAP Netweaver 7.50 SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. | 6.1 |
| 2023-04-11 | CVE-2023-29186 | Unspecified vulnerability in SAP Netweaver In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. | 6.5 |