Vulnerabilities > SAP > Netweaver Application Server Java > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-04-13 CVE-2021-21485 Unspecified vulnerability in SAP Netweaver Application Server Java
An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.
network
sap
4.3
2021-03-10 CVE-2021-21491 Open Redirect vulnerability in SAP Netweaver Application Server Java
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
network
sap CWE-601
5.8
2020-12-09 CVE-2020-26826 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java 7.31/7.40/7.50
Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.
network
low complexity
sap CWE-434
4.0
2020-10-15 CVE-2020-6365 Open Redirect vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation.
network
sap CWE-601
5.8
2020-10-15 CVE-2020-6319 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed.
network
sap CWE-79
4.3
2020-09-09 CVE-2020-6313 Improper Input Validation vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting.
network
low complexity
sap CWE-20
4.0
2020-07-14 CVE-2020-6286 Path Traversal vulnerability in SAP Netweaver Application Server Java
The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.
network
low complexity
sap CWE-22
5.0
2020-07-14 CVE-2020-6282 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application.
network
low complexity
sap CWE-918
5.0
2020-03-10 CVE-2020-6202 XXE vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.
network
low complexity
sap CWE-611
6.5
2020-02-12 CVE-2020-6190 Information Exposure vulnerability in SAP Netweaver Application Server Java
Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.
network
low complexity
sap CWE-200
5.0