Vulnerabilities > SAP > Netweaver Application Server Abap > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-06-09 CVE-2021-21473 Missing Authorization vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.
network
low complexity
sap CWE-862
6.3
2021-06-09 CVE-2021-21490 Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.
network
low complexity
sap CWE-79
6.1
2021-06-09 CVE-2021-33663 Unspecified vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.
network
low complexity
sap
5.3
2021-05-11 CVE-2021-27611 Code Injection vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system.
local
low complexity
sap CWE-94
6.7
2021-04-13 CVE-2021-27603 Unspecified vulnerability in SAP Netweaver Application Server Abap 731/740/750
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time.
network
low complexity
sap
6.5
2020-12-09 CVE-2020-26835 Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-10-15 CVE-2020-6371 Unspecified vulnerability in SAP Netweaver Application Server Abap
User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure.
network
low complexity
sap
4.3
2020-08-12 CVE-2020-6310 Unspecified vulnerability in SAP Abap Platform and Netweaver Application Server Abap
Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure.
network
low complexity
sap
4.3
2020-08-12 CVE-2020-6299 Unspecified vulnerability in SAP Abap Platform and Netweaver Application Server Abap
SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure.
network
low complexity
sap
4.3
2020-06-10 CVE-2020-6270 Missing Authorization vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices.
network
low complexity
sap CWE-862
6.5