Vulnerabilities > SAP > Netweaver > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-09-11 CVE-2018-2462 Improper Input Validation vulnerability in SAP Netweaver
In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31.
network
low complexity
sap CWE-20
6.5
2018-09-11 CVE-2018-2452 Cross-site Scripting vulnerability in SAP Netweaver
The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.
network
sap CWE-79
4.3
2018-07-10 CVE-2018-2434 Insufficient Verification of Data Authenticity vulnerability in SAP Netweaver, UI Infra and User Interface Technology
A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51, 7.52).
network
sap CWE-345
4.3
2018-01-09 CVE-2018-2363 Code Injection vulnerability in SAP products
SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice.
network
low complexity
sap CWE-94
6.5
2017-09-19 CVE-2017-14581 Resource Exhaustion vulnerability in SAP Netweaver
The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181.
network
low complexity
sap CWE-400
5.0
2017-07-25 CVE-2017-11457 XXE vulnerability in SAP Netweaver 7.5
XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.
network
low complexity
sap CWE-611
4.0
2017-05-23 CVE-2017-8913 XXE vulnerability in SAP Netweaver 7.5
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.
network
low complexity
sap CWE-611
6.5
2017-04-14 CVE-2017-7717 SQL Injection vulnerability in SAP Netweaver 7.40
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
network
low complexity
sap CWE-89
6.5
2017-04-10 CVE-2016-10304 Deserialization of Untrusted Data vulnerability in SAP Netweaver 7.5
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
network
low complexity
sap CWE-502
4.0
2017-01-23 CVE-2017-5372 Information Exposure vulnerability in SAP Netweaver
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
network
low complexity
sap CWE-200
5.0