Vulnerabilities > SAP > Netweaver > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-09-12 CVE-2023-41367 Missing Authentication for Critical Function vulnerability in SAP Netweaver 7.50
Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously.
network
low complexity
sap CWE-306
5.3
2023-06-13 CVE-2023-33984 Cross-site Scripting vulnerability in SAP Netweaver 7.50
SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message.
network
low complexity
sap CWE-79
5.4
2023-06-13 CVE-2023-33985 Cross-site Scripting vulnerability in SAP Netweaver 7.50
SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack.
network
low complexity
sap CWE-79
6.1
2023-03-14 CVE-2023-0021 Cross-site Scripting vulnerability in SAP Netweaver
Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting.
network
low complexity
sap CWE-79
6.1
2022-06-13 CVE-2022-28217 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver
Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system?s Availability by causing system to crash.
network
low complexity
sap CWE-918
6.5
2022-04-12 CVE-2022-28772 Out-of-bounds Write vulnerability in SAP Netweaver and web Dispatcher
By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher - versions 7.53, 7.77, 7.81, 7.85, 7.86, or Internet Communication Manager - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, which makes these programs unavailable, leading to denial of service.
network
low complexity
sap CWE-787
5.0
2022-02-09 CVE-2022-22534 Cross-site Scripting vulnerability in SAP Netweaver
Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password.
network
low complexity
sap CWE-79
6.1
2021-10-12 CVE-2021-38183 Cross-site Scripting vulnerability in SAP Netweaver
SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web browser, resulting in Cross-Site Scripting vulnerability.
network
sap CWE-79
4.3
2020-03-10 CVE-2020-6203 Path Traversal vulnerability in SAP Netweaver
SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs, leading to Path Traversal.
network
low complexity
sap CWE-22
6.4
2020-02-12 CVE-2020-6184 Cross-site Scripting vulnerability in SAP Netweaver and S/4Hana
Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
network
sap CWE-79
4.3