Vulnerabilities > SAP > Netweaver Application Server Java > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-04-14 CVE-2020-6224 Information Exposure Through Log Files vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
network
low complexity
sap CWE-532
6.2
2020-02-12 CVE-2020-6190 Information Exposure vulnerability in SAP Netweaver Application Server Java
Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.
network
low complexity
sap CWE-200
5.8
2019-11-13 CVE-2019-0391 Unspecified vulnerability in SAP Netweaver Application Server Java
Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted.
network
low complexity
sap
4.3
2019-07-10 CVE-2019-0318 Unspecified vulnerability in SAP Netweaver Application Server Java
Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.
network
high complexity
sap
5.3
2019-03-12 CVE-2019-0275 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
5.4
2018-12-11 CVE-2018-2504 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2018-09-11 CVE-2018-2452 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java
The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2017-07-25 CVE-2017-11458 Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.30
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.
network
low complexity
sap CWE-79
6.1
2017-07-25 CVE-2017-11457 XXE vulnerability in SAP Netweaver Application Server Java 7.50
XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.
network
low complexity
sap CWE-611
6.5
2017-04-10 CVE-2016-10304 Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
network
low complexity
sap CWE-502
6.5