Vulnerabilities > SAP > Netweaver Application Server Java
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-04-07 | CVE-2016-3975 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375. | 6.1 |
| 2016-04-07 | CVE-2016-3974 | XXE vulnerability in SAP Netweaver Application Server Java XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994. | 9.1 |
| 2016-04-07 | CVE-2016-3973 | Information Exposure vulnerability in SAP Netweaver Application Server Java The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka SAP Security Note 2255990. | 5.3 |
| 2016-02-16 | CVE-2016-2388 | Information Exposure vulnerability in SAP Netweaver Application Server Java The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. | 5.3 |
| 2016-02-16 | CVE-2016-2386 | SQL Injection vulnerability in SAP Netweaver Application Server Java 7.40 SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. | 9.8 |