Vulnerabilities > SAP > Netweaver > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-01-23 CVE-2013-1592 Classic Buffer Overflow vulnerability in SAP Netweaver
A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code.
network
low complexity
sap CWE-120
critical
10.0
2016-10-05 CVE-2016-7435 Permissions, Privileges, and Access Controls vulnerability in SAP Netweaver 7.40
The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and (3) SCTC_TMS_MAINTAIN_ALOG functions in the SCTC subpackage in SAP Netweaver 7.40 SP 12 allow remote authenticated users with certain permissions to execute arbitrary commands via vectors involving a CALL 'SYSTEM' statement, aka SAP Security Note 2260344.
network
low complexity
sap CWE-264
critical
9.0
2016-05-13 CVE-2010-5326 Remote Code Execution vulnerability in SAP Netweaver Invoker Servlet
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
network
low complexity
sap
critical
10.0
2016-04-14 CVE-2016-4014 XML External Entity Injection vulnerability in SAP Netweaver 7.4
XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.
network
low complexity
sap
critical
9.0
2013-11-20 CVE-2013-6822 Unspecified vulnerability in SAP Netweaver
GRMGApp in SAP NetWeaver allows remote attackers to have unspecified impact and attack vectors, related to an XML External Entity (XXE) issue.
network
low complexity
sap
critical
10.0
2012-05-15 CVE-2012-2611 Improper Input Validation vulnerability in SAP Netweaver 7.0
The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet.
network
sap CWE-20
critical
9.3