Vulnerabilities > SAP > Netweaver

DATE CVE VULNERABILITY TITLE RISK
2018-09-11 CVE-2018-2462 Improper Input Validation vulnerability in SAP Netweaver
In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31.
network
low complexity
sap CWE-20
8.8
2018-07-10 CVE-2018-2434 Insufficient Verification of Data Authenticity vulnerability in SAP Netweaver, UI Infra and User Interface Technology
A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51, 7.52).
network
low complexity
sap CWE-345
4.3
2018-01-09 CVE-2018-2363 Code Injection vulnerability in SAP products
SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice.
network
low complexity
sap CWE-94
8.8
2017-09-06 CVE-2015-7241 XXE vulnerability in SAP Netweaver 4.0/6.4/7.0
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
network
low complexity
sap CWE-611
critical
9.8
2017-07-12 CVE-2017-9845 Resource Exhaustion vulnerability in SAP Netweaver 7.40
disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918.
network
low complexity
sap CWE-400
7.5
2017-07-12 CVE-2017-9844 Deserialization of Untrusted Data vulnerability in SAP Netweaver 7400.12.21.30308
SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804.
network
low complexity
sap CWE-502
critical
9.8
2017-04-10 CVE-2016-10311 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP Netweaver
Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238.
network
low complexity
sap CWE-119
critical
9.8
2017-01-23 CVE-2017-5372 Information Exposure vulnerability in SAP Netweaver
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
network
low complexity
sap CWE-200
7.5
2016-10-13 CVE-2016-7437 Unspecified vulnerability in SAP Netweaver 7.40
SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the SAP Security Audit Log as non-critical, which might allow local users to hide rejected attempts to execute RFC function callbacks by leveraging filtering of non-critical events in audit analysis reports, aka SAP Security Note 2252312.
local
low complexity
sap
3.3
2016-10-13 CVE-2016-3635 Improper Access Control vulnerability in SAP Netweaver 7.40
SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366.
network
high complexity
sap CWE-284
7.5