Vulnerabilities > SAP > Netweaver Application Server Java > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-11 | CVE-2024-28164 | Unspecified vulnerability in SAP Netweaver Application Server Java Gpcore7.5 SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application. | 5.3 |
| 2023-11-14 | CVE-2023-42480 | Improper Restriction of Excessive Authentication Attempts vulnerability in SAP Netweaver Application Server Java 7.50 The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability. | 5.3 |
| 2023-10-10 | CVE-2023-42477 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java 7.50 SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. | 6.5 |
| 2023-03-14 | CVE-2023-24526 | Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java 7.50 SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. | 5.3 |
| 2022-12-12 | CVE-2022-41262 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.50 Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. | 6.1 |
| 2022-03-10 | CVE-2022-26103 | Unspecified vulnerability in SAP Netweaver Application Server Java 7.50 Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | 5.3 |
| 2021-07-14 | CVE-2021-33687 | Information Exposure vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. | 4.9 |
| 2021-07-14 | CVE-2021-33689 | Unspecified vulnerability in SAP Netweaver Application Server Java 7.50 When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. | 4.3 |
| 2021-04-13 | CVE-2021-27601 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. | 5.4 |
| 2021-04-13 | CVE-2021-27598 | Missing Authorization vulnerability in SAP Netweaver Application Server Java 7.31/7.40/7.50 SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. | 5.3 |