Vulnerabilities > SAP > Netweaver Application Server Java

DATE CVE VULNERABILITY TITLE RISK
2019-08-14 CVE-2019-0345 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.
network
low complexity
sap CWE-918
critical
 9.8
9.8
2019-07-10 CVE-2019-0327 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation.
network
low complexity
sap CWE-434
7.2
7.2
2019-07-10 CVE-2019-0318 Unspecified vulnerability in SAP Netweaver Application Server Java
Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.
network
high complexity
sap
5.3
5.3
2019-03-12 CVE-2019-0275 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
5.4
5.4
2018-12-11 CVE-2018-2504 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
6.1
2018-12-11 CVE-2018-2503 Missing Authorization vulnerability in SAP Netweaver Application Server Java
By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected.
low complexity
sap CWE-862
7.4
7.4
2018-12-11 CVE-2018-2492 XXE vulnerability in SAP Netweaver Application Server Java
SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source.
network
low complexity
sap CWE-611
7.1
7.1
2018-09-11 CVE-2018-2452 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
6.1
2017-09-19 CVE-2017-14581 Unspecified vulnerability in SAP Netweaver Application Server Java
The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181.
network
low complexity
sap
7.5
7.5
2017-08-07 CVE-2017-12637 Path Traversal vulnerability in SAP Netweaver Application Server Java 7.50
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a ..
network
low complexity
sap CWE-22
7.5
7.5