Vulnerabilities > SAP > Netweaver Application Server Java > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-04-14 | CVE-2020-6224 | Information Exposure Through Log Files vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure. | 6.2 |
2020-02-12 | CVE-2020-6190 | Information Exposure vulnerability in SAP Netweaver Application Server Java Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. | 5.8 |
2019-11-13 | CVE-2019-0391 | Unspecified vulnerability in SAP Netweaver Application Server Java Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | 4.3 |
2019-07-10 | CVE-2019-0318 | Unspecified vulnerability in SAP Netweaver Application Server Java Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted. | 5.3 |
2019-03-12 | CVE-2019-0275 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability. | 5.4 |
2018-12-11 | CVE-2018-2504 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2018-09-11 | CVE-2018-2452 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. | 6.1 |
2017-07-25 | CVE-2017-11458 | Cross-site Scripting vulnerability in SAP Netweaver Application Server Java 7.30 Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. | 6.1 |
2017-07-25 | CVE-2017-11457 | XXE vulnerability in SAP Netweaver Application Server Java 7.50 XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. | 6.5 |
2017-04-10 | CVE-2016-10304 | Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50 The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | 6.5 |