Vulnerabilities > SAP > Netweaver > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-12 | CVE-2023-41367 | Missing Authentication for Critical Function vulnerability in SAP Netweaver 7.50 Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. | 5.3 |
| 2023-06-13 | CVE-2023-33984 | Cross-site Scripting vulnerability in SAP Netweaver 7.50 SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. | 5.4 |
| 2023-06-13 | CVE-2023-33985 | Cross-site Scripting vulnerability in SAP Netweaver 7.50 SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. | 6.1 |
| 2023-04-11 | CVE-2023-29186 | Path Traversal vulnerability in SAP Netweaver In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. | 6.5 |
| 2023-04-11 | CVE-2023-27499 | Cross-site Scripting vulnerability in SAP Netweaver and Netweaver Application Server Abap SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
| 2023-03-14 | CVE-2023-0021 | Cross-site Scripting vulnerability in SAP Netweaver Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. | 6.1 |
| 2022-06-13 | CVE-2022-28217 | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system?s Availability by causing system to crash. | 6.5 |
| 2022-02-09 | CVE-2022-22534 | Cross-site Scripting vulnerability in SAP Netweaver Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. | 6.1 |
| 2021-10-12 | CVE-2021-38183 | Cross-site Scripting vulnerability in SAP Netweaver SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web browser, resulting in Cross-Site Scripting vulnerability. | 6.1 |
| 2020-07-14 | CVE-2020-6285 | Unspecified vulnerability in SAP Netweaver SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure. | 6.5 |