NetWeaver Enterprise Portal Federated Portal Network
by SAP
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-42980 | Cri | 0.59 | 9.1 | 0.01 | Jul 8, 2025 | SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | ||
| CVE-2025-23194 | Med | 0.34 | 5.3 | 0.00 | Mar 11, 2025 | SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application. | ||
| CVE-2024-47594 | 0.00 | — | 0.01 | Oct 8, 2024 | SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised. | |||
| CVE-2024-25645 | 0.00 | — | 0.00 | Mar 12, 2024 | Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application. | |||
| CVE-2023-33985 | 0.00 | — | 0.01 | Jun 13, 2023 | SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||
| CVE-2023-28761 | 0.00 | — | 0.00 | Apr 11, 2023 | In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity. | |||
| CVE-2023-26461 | 0.00 | — | 0.00 | Mar 14, 2023 | SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | |||
| CVE-2018-2435 | 0.00 | — | 0.00 | Jul 10, 2018 | SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
- risk 0.59cvss 9.1epss 0.01
SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
- risk 0.34cvss 5.3epss 0.00
SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application.
- CVE-2024-47594Oct 8, 2024risk 0.00cvss —epss 0.01
SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised.
- CVE-2024-25645Mar 12, 2024risk 0.00cvss —epss 0.00
Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application.
- CVE-2023-33985Jun 13, 2023risk 0.00cvss —epss 0.01
SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.
- CVE-2023-28761Apr 11, 2023risk 0.00cvss —epss 0.00
In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity.
- CVE-2023-26461Mar 14, 2023risk 0.00cvss —epss 0.00
SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges.
- CVE-2018-2435Jul 10, 2018risk 0.00cvss —epss 0.00
SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.