VYPR

Netweaver As Java

by SAP

CVEs (61)

  • CVE-2024-45283MedSep 10, 2024
    risk 0.39cvss 6.0epss 0.00

    SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or…

  • CVE-2020-6190MedFeb 12, 2020
    risk 0.38cvss 5.8epss 0.01

    Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.

  • CVE-2020-6286MedJul 14, 2020
    risk 0.37cvss 5.3epss 0.28

    The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to…

  • CVE-2021-27601MedApr 13, 2021
    risk 0.35cvss 5.4epss 0.00

    SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify…

  • CVE-2021-27598MedApr 13, 2021
    risk 0.35cvss 5.3epss 0.01

    SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.

  • CVE-2016-3973MedApr 7, 2016
    risk 0.35cvss 5.3epss 0.02

    The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and…

  • CVE-2024-47592MedNov 12, 2024
    risk 0.34cvss 5.3epss 0.00

    SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.

  • CVE-2024-28164MedJun 11, 2024
    risk 0.34cvss 5.3epss 0.00

    SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application.

  • CVE-2023-42480MedNov 14, 2023
    risk 0.34cvss 5.3epss 0.01

    The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability.

  • CVE-2023-31405MedJul 11, 2023
    risk 0.34cvss 5.3epss 0.00

    SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any…

  • CVE-2023-24527MedApr 11, 2023
    risk 0.34cvss 5.3epss 0.00

    SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a…

  • CVE-2023-27268MedMar 14, 2023
    risk 0.34cvss 5.3epss 0.00

    SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to…

  • CVE-2023-26460MedMar 14, 2023
    risk 0.34cvss 5.3epss 0.00

    Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity

  • CVE-2025-0057MedJan 14, 2025
    risk 0.31cvss 4.8epss 0.00

    SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information…

  • CVE-2024-47588MedNov 12, 2024
    risk 0.31cvss 4.7epss 0.00

    In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. An attacker with local access to the server, authenticated as a non-administrative user, can acquire the…

  • CVE-2024-45280MedSep 10, 2024
    risk 0.31cvss 4.8epss 0.00

    Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability.

  • CVE-2020-26816MedDec 9, 2020
    risk 0.29cvss 4.5epss 0.00

    SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has…

  • CVE-2025-42925MedSep 9, 2025
    risk 0.28cvss 4.3epss 0.00

    Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close…

  • CVE-2019-0391MedNov 13, 2019
    risk 0.28cvss 4.3epss 0.01

    Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted.

  • CVE-2025-42927LowSep 9, 2025
    risk 0.22cvss 3.4epss 0.00

    SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would allow user with high system privileges to access and modify system…