Vulnerabilities > SAP > Netweaver > 7.40
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-12-11 | CVE-2018-2492 | Improper Input Validation vulnerability in SAP Netweaver SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. | 5.5 |
| 2018-11-13 | CVE-2018-2477 | XML Injection (aka Blind XPath Injection) vulnerability in SAP Netweaver Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source. | 6.5 |
| 2018-11-13 | CVE-2018-2476 | Open Redirect vulnerability in SAP Netweaver 7.30/7.31/7.40 Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site. | 5.8 |
| 2018-10-09 | CVE-2018-2470 | Cross-site Scripting vulnerability in SAP Netweaver In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
| 2018-09-11 | CVE-2018-2464 | Cross-site Scripting vulnerability in SAP Netweaver SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. | 4.3 |
| 2018-09-11 | CVE-2018-2462 | Improper Input Validation vulnerability in SAP Netweaver In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31. | 6.5 |
| 2018-09-11 | CVE-2018-2452 | Cross-site Scripting vulnerability in SAP Netweaver The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. | 4.3 |
| 2017-09-19 | CVE-2017-14581 | Resource Exhaustion vulnerability in SAP Netweaver The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. | 5.0 |
| 2017-07-12 | CVE-2017-9845 | Resource Exhaustion vulnerability in SAP Netweaver 7.40 disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918. | 7.8 |
| 2017-04-14 | CVE-2017-7717 | SQL Injection vulnerability in SAP Netweaver 7.40 SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. | 6.5 |