VYPR

Netweaver As Java

by SAP

CVEs (61)

  • CVE-2016-4015HigApr 14, 2016
    risk 0.49cvss 7.5epss 0.03

    The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784.

  • CVE-2016-3979HigApr 8, 2016
    risk 0.49cvss 7.5epss 0.06

    Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP request, related to the IctParseCookies function, aka SAP Security Note 2256185.

  • CVE-2018-2503HigDec 11, 2018
    risk 0.48cvss 7.4epss 0.01

    By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).

  • CVE-2020-26820HigNov 10, 2020
    risk 0.47cvss 7.2epss 0.04

    SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then…

  • CVE-2018-2492HigDec 11, 2018
    risk 0.46cvss 7.1epss 0.01

    SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.

  • CVE-2024-42372MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application.

  • CVE-2023-42477MedOct 10, 2023
    risk 0.42cvss 6.5epss 0.00

    SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.

  • CVE-2021-27635MedJun 9, 2021
    risk 0.42cvss 6.5epss 0.02

    SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to…

  • CVE-2020-26826MedDec 9, 2020
    risk 0.42cvss 6.5epss 0.01

    Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.

  • CVE-2017-11457MedJul 25, 2017
    risk 0.42cvss 6.5epss 0.01

    XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.

  • CVE-2016-10304MedApr 10, 2017
    risk 0.42cvss 6.5epss 0.02

    The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.

  • CVE-2026-44746MedJun 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation,…

  • CVE-2024-22126MedFeb 13, 2024
    risk 0.40cvss 6.1epss 0.01

    The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on…

  • CVE-2022-41262MedDec 12, 2022
    risk 0.40cvss 6.1epss 0.00

    Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on…

  • CVE-2020-6365MedOct 15, 2020
    risk 0.40cvss 6.1epss 0.01

    SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal…

  • CVE-2020-6224MedApr 14, 2020
    risk 0.40cvss 6.2epss 0.01

    SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to…

  • CVE-2018-2504MedDec 11, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

  • CVE-2018-2452MedSep 11, 2018
    risk 0.40cvss 6.1epss 0.01

    The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.

  • CVE-2017-11458MedJul 25, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.

  • CVE-2016-3975MedApr 7, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.Navigatio…