cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-47582,https://securityvulnerability.io/vulnerability/CVE-2024-47582,XML Entity Expansion Attack,"Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.",SAP,SAP Netweaver As Java,5.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:12:24.270Z,0
CVE-2024-47580,https://securityvulnerability.io/vulnerability/CVE-2024-47580,Server-side file exposure vulnerability,"An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment.  By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.",SAP,SAP Netweaver As For Java (adobe Document Services),6.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:12:11.655Z,0
CVE-2024-47579,https://securityvulnerability.io/vulnerability/CVE-2024-47579,PDF Font File Attack,An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server.  Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability,SAP,SAP Netweaver As For Java (adobe Document Services),6.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:12:05.039Z,0
CVE-2024-47578,https://securityvulnerability.io/vulnerability/CVE-2024-47578,Adobe Document Service Vulnerability Allows Server-Side Request Forgery,"A vulnerability exists in Adobe Document Service that allows an attacker with administrator privileges to craft and send malicious requests from a vulnerable web application. This weakness typically targets internal systems shielded by firewalls, rendering them susceptible to external exploitation. Successfully executing this attack can enable a malicious user to read or modify files and potentially disrupt the functionality of the entire system. Organizations utilizing Adobe Document Service should promptly implement security measures and patches to mitigate the risks associated with this vulnerability.",SAP,SAP Netweaver As For Java (adobe Document Services),9.1,CRITICAL,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:11:57.435Z,0
CVE-2024-47592,https://securityvulnerability.io/vulnerability/CVE-2024-47592,Brute Force Vulnerability Affects Confidentiality,SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.,SAP,SAP Netweaver Application Server Java (logon Application),5.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-11-12T00:27:10.881Z,0
CVE-2024-42372,https://securityvulnerability.io/vulnerability/CVE-2024-42372,Unauthorized Access to Restricted SLD Configurations,Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application.,SAP,SAP Netweaver As Java (system Landscape Directory),6.5,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-11-12T00:25:44.558Z,0
CVE-2024-45283,https://securityvulnerability.io/vulnerability/CVE-2024-45283,SAP NetWeaver AS for Java Vulnerability Allows Access to Sensitive Information,"SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data.",SAP,SAP Netweaver As For Java (destination Service),6,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-09-10T04:52:30.209Z,0
CVE-2024-45280,https://securityvulnerability.io/vulnerability/CVE-2024-45280,SAP NetWeaver AS Java Vulnerability Allows Malicious Script Execution,"Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability.",SAP,SAP Netweaver As Java (logon Application),4.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-09-10T04:31:10.299Z,0
CVE-2024-33005,https://securityvulnerability.io/vulnerability/CVE-2024-33005,Authorization Bypass VI carbon zente ideal primal crux deliver,"Due to the missing authorization checks in the
local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application
Server (ABAP and Java), and SAP Content Server can impersonate other users and
may perform some unintended actions. This could lead to a low impact on
confidentiality and a high impact on the integrity and availability of the
applications.",SAP,"SAP Netweaver Application Server (abap And Java),SAP Web Dispatcher And SAP Content Server",6.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-08-13T03:47:44.829Z,0
CVE-2024-42374,https://securityvulnerability.io/vulnerability/CVE-2024-42374,Untrusted XML Document Validation Vulnerability Affects SAP ADS Rendering,"The BEx Web Java Runtime Export Web Service from SAP exhibits inadequate validation of XML documents received from untrusted sources. This vulnerability enables attackers to extract sensitive information from SAP ADS systems. Additionally, it can lead to the exhaustion of the XMLForm service, resulting in the inaccessibility of PDF creation functionalities, ultimately compromising the confidentiality and availability of applications relying on this service.",SAP,SAP Bex Web Java Runtime Export Web Service,8.2,HIGH,0.0004600000102072954,false,false,false,false,,false,false,2024-08-13T03:34:11.415Z,0
CVE-2024-28164,https://securityvulnerability.io/vulnerability/CVE-2024-28164,Unauthenticated Access to Server Information,"SAP NetWeaver AS Java (CAF - Guided Procedures)
allows an unauthenticated user to access non-sensitive information about the
server which would otherwise be restricted causing low impact on
confidentiality of the application.",SAP,SAP Netweaver As Java,5.3,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-06-11T02:18:48.019Z,0
CVE-2024-34688,https://securityvulnerability.io/vulnerability/CVE-2024-34688,DoS Attacks on Repository Services Can Cause High Availability Impact,"This vulnerability allows for unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java. As a result, attackers can exploit this flaw to execute Denial of Service (DoS) attacks, disrupting application availability for legitimate users. While the integrity and confidentiality of the application remain unaffected, the potential for service disruption raises serious concerns for organizations relying on SAP NetWeaver for their operations.",SAP,SAP Netweaver As Java,7.5,HIGH,0.0004600000102072954,false,false,false,false,,false,false,2024-06-11T02:02:21.587Z,0
CVE-2024-22127,https://securityvulnerability.io/vulnerability/CVE-2024-22127,SAP NetWeaver Administrator AS Java Vulnerability Could Lead to Command Injection,"The vulnerability in SAP NetWeaver Administrator AS Java's Administrator Log Viewer plug-in permits an attacker, who possesses high privileges, to upload potentially harmful files. This exploit leads to a command injection vulnerability, allowing the attacker to execute arbitrary commands within the application. Such unauthorized command execution presents serious risks, potentially compromising the confidentiality, integrity, and availability of the application's data and services. Organizations utilizing affected versions of SAP NetWeaver are urged to apply the necessary patches to mitigate these risks effectively.",SAP,SAP Netweaver As Java (administrator Log Viewer Plug-in),9.1,CRITICAL,0.0004299999854993075,false,false,false,false,,false,false,2024-03-12T01:15:00.000Z,0
CVE-2024-24743,https://securityvulnerability.io/vulnerability/CVE-2024-24743,SAP NetWeaver AS Java Vulnerability Allows Unauthorized Access to Sensitive Data,"An XML parsing vulnerability exists in SAP NetWeaver AS Java (CAF - Guided Procedures) version 7.50. This vulnerability allows an unauthenticated attacker to send specially crafted XML requests over the network, enabling access to sensitive files and information stored within the system. Although the attacker cannot modify the accessed data, this situation raises concerns over data security and privacy. The system does implement expansion limits to ensure that the availability of the application is not compromised.",SAP,SAP Netweaver As Java (guided Procedures),8.6,HIGH,0.0009399999980814755,false,false,false,false,,false,false,2024-02-13T02:43:40.755Z,0
CVE-2024-22126,https://securityvulnerability.io/vulnerability/CVE-2024-22126,SAP NetWeaver AS for Java vulnerable to Cross-Site Scripting (XSS),"The User Admin application of SAP NetWeaver AS for Java version 7.50 contains a vulnerability due to inadequate validation and improper encoding of incoming URL parameters utilized in redirect URLs. This flaw exposes the application to Cross-Site Scripting (XSS) attacks, enabling malicious actors to execute scripts in the context of users' sessions. As a result, this may lead to unauthorized access to sensitive information, compromising user confidentiality while posing a mild threat to the integrity and availability of users' data.",SAP,SAP NetWeaver AS Java (User Admin Application),8.8,HIGH,0.0010400000028312206,false,false,false,false,,false,false,2024-02-13T01:58:27.745Z,0
CVE-2023-49580,https://securityvulnerability.io/vulnerability/CVE-2023-49580,Information disclosure in SAP GUI for Windows and SAP GUI for Java,"The SAP GUI for Windows and Java, specifically versions SAP_BASIS 755, 756, 757, and 758, are susceptible to a vulnerability that allows an unauthorized attacker to gain access to sensitive, restricted information. This breach can lead to the creation of custom Layout configurations in the ABAP List Viewer, which could adversely affect both the integrity and availability of the service. An attacker may exploit this vulnerability to manipulate system response times, leading to potential disruptions in service.",SAP,SAP Gui For Windows And SAP Gui For Java,7.3,HIGH,0.000859999970998615,false,false,false,false,,false,false,2023-12-12T02:15:00.000Z,0
CVE-2023-42480,https://securityvulnerability.io/vulnerability/CVE-2023-42480,Information Disclosure in NetWeaver AS Java Logon,"The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability.

",SAP,Netweaver As Java,5.3,MEDIUM,0.000750000006519258,false,false,false,false,,false,false,2023-11-14T01:15:00.000Z,0
CVE-2023-42477,https://securityvulnerability.io/vulnerability/CVE-2023-42477,Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application),"SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.

",SAP,SAP Netweaver As Java,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2023-10-10T02:15:00.000Z,0
CVE-2023-40309,https://securityvulnerability.io/vulnerability/CVE-2023-40309,Missing Authorization check in SAP CommonCryptoLib,"The SAP CommonCryptoLib has a critical vulnerability where it fails to implement essential authentication checks. This oversight can lead to improper or missing authorization verifications for users. As a result, an authenticated attacker may exploit this weakness to escalate their privileges, potentially gaining access to functionalities meant for specific user groups. This could allow the attacker to read, alter, or remove sensitive data that should be restricted.",SAP,"SAP Commoncryptolib,SAP Netweaver As Abap, SAP Netweaver As Java And Abap Platform Of S/4hana On-premise,SAP Web Dispatcher,SAP Content Server,SAP Hana Database,SAP Host Agent,SAP Extended Application Services And Runtime (xsa),SAPssoext",9.8,CRITICAL,0.0018700000364333391,false,false,false,false,,false,false,2023-09-12T03:15:00.000Z,0
CVE-2023-40308,https://securityvulnerability.io/vulnerability/CVE-2023-40308,Memory Corruption vulnerability in SAP CommonCryptoLib,"The memory corruption vulnerability in SAP's CommonCryptoLib allows an unauthenticated attacker to submit crafted requests to open ports, resulting in a crash of the target component. This vulnerability affects the availability of the service but does not expose any information, allowing for potential denial of service attacks. Protecting against this issue is critical for maintaining operational reliability.",SAP,"SAP Commoncryptolib,SAP Netweaver As Abap, SAP Netweaver As Java And Abap Platform Of S/4hana On-premise,SAP Web Dispatcher,SAP Content Server,SAP Hana Database,SAP Host Agent,SAP Extended Application Services And Runtime (xsa),SAPssoext",7.5,HIGH,0.0009699999936856329,false,false,false,false,,false,false,2023-09-12T02:15:00.000Z,0
CVE-2023-31405,https://securityvulnerability.io/vulnerability/CVE-2023-31405,Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer),"SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability.

",SAP,SAP Netweaver As For Java (log Viewer),5.3,MEDIUM,0.000910000002477318,false,false,false,false,,false,false,2023-07-11T03:15:00.000Z,0
CVE-2023-30744,https://securityvulnerability.io/vulnerability/CVE-2023-30744,Improper access control during application start-up in SAP AS NetWeaver JAVA.,"In SAP AS NetWeaver JAVA versions SERVERCORE 7.50, J2EE-FRMW 7.50, and CORE-TOOLS 7.50, a vulnerability exists that allows an unauthenticated attacker to exploit an open interface. The attacker can leverage an open naming and directory API to instantiate objects that expose callable methods without requiring further authorization or authentication. This flaw could enable attackers to read or alter the state of existing services, which poses significant risks to the integrity and confidentiality of data while maintaining service availability.",SAP,SAP AS NetWeaver JAVA,9.1,CRITICAL,0.0017800000496208668,false,false,false,false,,false,false,2023-05-09T02:15:00.000Z,0
CVE-2023-24527,https://securityvulnerability.io/vulnerability/CVE-2023-24527,Improper Access Control in SAP NetWeaver AS Java for Deploy Service,"SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability and integrity.

",SAP,NetWeaver AS Java for Deploy Service,5.3,MEDIUM,0.0006500000017695129,false,false,false,false,,false,false,2023-04-11T03:15:00.000Z,0
CVE-2023-24526,https://securityvulnerability.io/vulnerability/CVE-2023-24526,Improper Access Control in SAP NetWeaver AS Java (Classload Service),"SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data.

",SAP,NetWeaver AS Java for Classload Service,5.3,MEDIUM,0.0007800000021234155,false,false,false,false,,false,false,2023-03-14T05:15:00.000Z,0
CVE-2023-27268,https://securityvulnerability.io/vulnerability/CVE-2023-27268,Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service),"SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges.

",SAP,NetWeaver AS Java (Object Analyzing Service),5.3,MEDIUM,0.0008299999753944576,false,false,false,false,,false,false,2023-03-14T05:15:00.000Z,0