Vulnerabilities > SAP > Netweaver > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-09-12 CVE-2023-41367 Unspecified vulnerability in SAP Netweaver 7.50
Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously.
network
low complexity
sap
5.3
2023-06-13 CVE-2023-33984 Unspecified vulnerability in SAP Netweaver 7.50
SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message.
network
low complexity
sap
5.4
2023-06-13 CVE-2023-33985 Unspecified vulnerability in SAP Netweaver 7.50
SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack.
network
low complexity
sap
6.1
2023-04-11 CVE-2023-29186 Unspecified vulnerability in SAP Netweaver
In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server.
network
low complexity
sap
6.5
2023-04-11 CVE-2023-27499 Cross-site Scripting vulnerability in SAP Netweaver and Netweaver Application Server Abap
SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2023-03-14 CVE-2023-0021 Unspecified vulnerability in SAP Netweaver
Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting.
network
low complexity
sap
6.1
2022-06-13 CVE-2022-28217 Unspecified vulnerability in SAP Netweaver
Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system?s Availability by causing system to crash.
network
low complexity
sap
6.5
2022-02-09 CVE-2022-22534 Cross-site Scripting vulnerability in SAP Netweaver
Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password.
network
low complexity
sap CWE-79
6.1
2021-10-12 CVE-2021-38183 Cross-site Scripting vulnerability in SAP Netweaver
SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web browser, resulting in Cross-Site Scripting vulnerability.
network
low complexity
sap CWE-79
6.1
2020-07-14 CVE-2020-6285 Unspecified vulnerability in SAP Netweaver
SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
network
low complexity
sap
6.5