VYPR

Sap Web Application Server

by SAP

CVEs (81)

  • CVE-2025-42901MedOct 14, 2025
    risk 0.35cvss 5.4epss 0.00

    SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no…

  • CVE-2026-27688MedMar 10, 2026
    risk 0.33cvss 5.0epss 0.00

    Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module…

  • CVE-2025-42961MedJul 8, 2025
    risk 0.32cvss 4.9epss 0.00

    Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging overly permissive access configurations,…

  • CVE-2025-26653MedApr 8, 2025
    risk 0.31cvss 4.7epss 0.00

    SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits…

  • CVE-2025-42882MedNov 11, 2025
    risk 0.28cvss 4.3epss 0.00

    Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment…

  • CVE-2025-27437MedApr 8, 2025
    risk 0.28cvss 4.3epss 0.00

    A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive…

  • CVE-2025-0068MedJan 14, 2025
    risk 0.28cvss 4.3epss 0.00

    An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the…

  • CVE-2024-47585MedDec 10, 2024
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are…

  • CVE-2024-47593MedNov 12, 2024
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was…

  • CVE-2025-42935MedAug 12, 2025
    risk 0.27cvss 4.1epss 0.00

    The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the…

  • CVE-2026-24310LowMar 10, 2026
    risk 0.23cvss 3.5epss 0.00

    Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the…

  • CVE-2022-22536KEVFeb 9, 2022
    risk 0.23cvss epss 0.98

    SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary…

  • CVE-2025-42883LowNov 11, 2025
    risk 0.18cvss 2.7epss 0.00

    Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system.…

  • CVE-2006-6010Nov 21, 2006
    risk 0.04cvss epss 0.14

    SAP allows remote attackers to obtain potentially sensitive information such as operating system and SAP version via an RFC_SYSTEM_INFO RfcCallReceive request, a different vulnerability than CVE-2003-0747.

  • CVE-2005-3634Nov 16, 2005
    risk 0.04cvss epss 0.19

    frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.

  • CVE-2008-2421May 23, 2008
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under…

  • CVE-2006-5784Nov 7, 2006
    risk 0.03cvss epss 0.03

    Unspecified vulnerability in enserver.exe in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to read arbitrary files via crafted data on a "3200+SYSNR" TCP port, as demonstrated by port 3201. NOTE: this issue can be leveraged by…

  • CVE-2006-1039Mar 7, 2006
    risk 0.03cvss epss 0.03

    SAP Web Application Server (WebAS) Kernel before 7.0 allows remote attackers to inject arbitrary bytes into the HTTP response and obtain sensitive authentication information, or have other impacts, via a ";%20" followed by encoded HTTP headers.

  • CVE-2005-3636Nov 16, 2005
    risk 0.03cvss epss 0.05

    Cross-site scripting (XSS) vulnerability in SAP Web Application Server (WAS) 6.10 allows remote attackers to inject arbitrary web script or HTML via Error Pages.

  • CVE-2005-3635Nov 16, 2005
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in SAP Web Application Server (WAS) 6.10 through 7.00 allow remote attackers to inject arbitrary web script or HTML via (1) the sap-syscmd in sap-syscmd and (2) the BspApplication field in the SYSTEM PUBLIC test application.

Page 2 of 5