cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score CVE-2024-47582,https://securityvulnerability.io/vulnerability/CVE-2024-47582,XML Entity Expansion Attack,"Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.",SAP,SAP Netweaver As Java,5.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:12:24.270Z,0 CVE-2024-47580,https://securityvulnerability.io/vulnerability/CVE-2024-47580,Server-side file exposure vulnerability,"An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.",SAP,SAP Netweaver As For Java (adobe Document Services),6.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:12:11.655Z,0 CVE-2024-47579,https://securityvulnerability.io/vulnerability/CVE-2024-47579,PDF Font File Attack,An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability,SAP,SAP Netweaver As For Java (adobe Document Services),6.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:12:05.039Z,0 CVE-2024-47578,https://securityvulnerability.io/vulnerability/CVE-2024-47578,Adobe Document Service Vulnerability Allows Server-Side Request Forgery,"A vulnerability exists in Adobe Document Service that allows an attacker with administrator privileges to craft and send malicious requests from a vulnerable web application. This weakness typically targets internal systems shielded by firewalls, rendering them susceptible to external exploitation. Successfully executing this attack can enable a malicious user to read or modify files and potentially disrupt the functionality of the entire system. Organizations utilizing Adobe Document Service should promptly implement security measures and patches to mitigate the risks associated with this vulnerability.",SAP,SAP Netweaver As For Java (adobe Document Services),9.1,CRITICAL,0.0004299999854993075,false,false,false,false,,false,false,2024-12-10T00:11:57.435Z,0 CVE-2024-47592,https://securityvulnerability.io/vulnerability/CVE-2024-47592,Brute Force Vulnerability Affects Confidentiality,SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.,SAP,SAP Netweaver Application Server Java (logon Application),5.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-11-12T00:27:10.881Z,0 CVE-2024-42372,https://securityvulnerability.io/vulnerability/CVE-2024-42372,Unauthorized Access to Restricted SLD Configurations,Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application.,SAP,SAP Netweaver As Java (system Landscape Directory),6.5,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-11-12T00:25:44.558Z,0 CVE-2024-45283,https://securityvulnerability.io/vulnerability/CVE-2024-45283,SAP NetWeaver AS for Java Vulnerability Allows Access to Sensitive Information,"SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data.",SAP,SAP Netweaver As For Java (destination Service),6,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-09-10T04:52:30.209Z,0 CVE-2024-45280,https://securityvulnerability.io/vulnerability/CVE-2024-45280,SAP NetWeaver AS Java Vulnerability Allows Malicious Script Execution,"Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability.",SAP,SAP Netweaver As Java (logon Application),4.8,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-09-10T04:31:10.299Z,0 CVE-2024-33005,https://securityvulnerability.io/vulnerability/CVE-2024-33005,Authorization Bypass VI carbon zente ideal primal crux deliver,"Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications.",SAP,"SAP Netweaver Application Server (abap And Java),SAP Web Dispatcher And SAP Content Server",6.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-08-13T03:47:44.829Z,0 CVE-2024-28164,https://securityvulnerability.io/vulnerability/CVE-2024-28164,Unauthenticated Access to Server Information,"SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application.",SAP,SAP Netweaver As Java,5.3,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-06-11T02:18:48.019Z,0 CVE-2024-34688,https://securityvulnerability.io/vulnerability/CVE-2024-34688,DoS Attacks on Repository Services Can Cause High Availability Impact,"This vulnerability allows for unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java. As a result, attackers can exploit this flaw to execute Denial of Service (DoS) attacks, disrupting application availability for legitimate users. While the integrity and confidentiality of the application remain unaffected, the potential for service disruption raises serious concerns for organizations relying on SAP NetWeaver for their operations.",SAP,SAP Netweaver As Java,7.5,HIGH,0.0004600000102072954,false,false,false,false,,false,false,2024-06-11T02:02:21.587Z,0 CVE-2024-22127,https://securityvulnerability.io/vulnerability/CVE-2024-22127,SAP NetWeaver Administrator AS Java Vulnerability Could Lead to Command Injection,"The vulnerability in SAP NetWeaver Administrator AS Java's Administrator Log Viewer plug-in permits an attacker, who possesses high privileges, to upload potentially harmful files. This exploit leads to a command injection vulnerability, allowing the attacker to execute arbitrary commands within the application. Such unauthorized command execution presents serious risks, potentially compromising the confidentiality, integrity, and availability of the application's data and services. Organizations utilizing affected versions of SAP NetWeaver are urged to apply the necessary patches to mitigate these risks effectively.",SAP,SAP Netweaver As Java (administrator Log Viewer Plug-in),9.1,CRITICAL,0.0004299999854993075,false,false,false,false,,false,false,2024-03-12T01:15:00.000Z,0 CVE-2024-24743,https://securityvulnerability.io/vulnerability/CVE-2024-24743,SAP NetWeaver AS Java Vulnerability Allows Unauthorized Access to Sensitive Data,"An XML parsing vulnerability exists in SAP NetWeaver AS Java (CAF - Guided Procedures) version 7.50. This vulnerability allows an unauthenticated attacker to send specially crafted XML requests over the network, enabling access to sensitive files and information stored within the system. Although the attacker cannot modify the accessed data, this situation raises concerns over data security and privacy. The system does implement expansion limits to ensure that the availability of the application is not compromised.",SAP,SAP Netweaver As Java (guided Procedures),8.6,HIGH,0.0009399999980814755,false,false,false,false,,false,false,2024-02-13T02:43:40.755Z,0 CVE-2024-22126,https://securityvulnerability.io/vulnerability/CVE-2024-22126,SAP NetWeaver AS for Java vulnerable to Cross-Site Scripting (XSS),"The User Admin application of SAP NetWeaver AS for Java version 7.50 contains a vulnerability due to inadequate validation and improper encoding of incoming URL parameters utilized in redirect URLs. This flaw exposes the application to Cross-Site Scripting (XSS) attacks, enabling malicious actors to execute scripts in the context of users' sessions. As a result, this may lead to unauthorized access to sensitive information, compromising user confidentiality while posing a mild threat to the integrity and availability of users' data.",SAP,SAP NetWeaver AS Java (User Admin Application),8.8,HIGH,0.0010400000028312206,false,false,false,false,,false,false,2024-02-13T01:58:27.745Z,0 CVE-2023-42477,https://securityvulnerability.io/vulnerability/CVE-2023-42477,Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application),"SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. ",SAP,SAP Netweaver As Java,6.5,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2023-10-10T02:15:00.000Z,0 CVE-2023-40309,https://securityvulnerability.io/vulnerability/CVE-2023-40309,Missing Authorization check in SAP CommonCryptoLib,"The SAP CommonCryptoLib has a critical vulnerability where it fails to implement essential authentication checks. This oversight can lead to improper or missing authorization verifications for users. As a result, an authenticated attacker may exploit this weakness to escalate their privileges, potentially gaining access to functionalities meant for specific user groups. This could allow the attacker to read, alter, or remove sensitive data that should be restricted.",SAP,"SAP Commoncryptolib,SAP Netweaver As Abap, SAP Netweaver As Java And Abap Platform Of S/4hana On-premise,SAP Web Dispatcher,SAP Content Server,SAP Hana Database,SAP Host Agent,SAP Extended Application Services And Runtime (xsa),SAPssoext",9.8,CRITICAL,0.0018700000364333391,false,false,false,false,,false,false,2023-09-12T03:15:00.000Z,0 CVE-2023-40308,https://securityvulnerability.io/vulnerability/CVE-2023-40308,Memory Corruption vulnerability in SAP CommonCryptoLib,"The memory corruption vulnerability in SAP's CommonCryptoLib allows an unauthenticated attacker to submit crafted requests to open ports, resulting in a crash of the target component. This vulnerability affects the availability of the service but does not expose any information, allowing for potential denial of service attacks. Protecting against this issue is critical for maintaining operational reliability.",SAP,"SAP Commoncryptolib,SAP Netweaver As Abap, SAP Netweaver As Java And Abap Platform Of S/4hana On-premise,SAP Web Dispatcher,SAP Content Server,SAP Hana Database,SAP Host Agent,SAP Extended Application Services And Runtime (xsa),SAPssoext",7.5,HIGH,0.0009699999936856329,false,false,false,false,,false,false,2023-09-12T02:15:00.000Z,0 CVE-2023-31405,https://securityvulnerability.io/vulnerability/CVE-2023-31405,Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer),"SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability. ",SAP,SAP Netweaver As For Java (log Viewer),5.3,MEDIUM,0.000910000002477318,false,false,false,false,,false,false,2023-07-11T03:15:00.000Z,0 CVE-2023-30744,https://securityvulnerability.io/vulnerability/CVE-2023-30744,Improper access control during application start-up in SAP AS NetWeaver JAVA.,"In SAP AS NetWeaver JAVA versions SERVERCORE 7.50, J2EE-FRMW 7.50, and CORE-TOOLS 7.50, a vulnerability exists that allows an unauthenticated attacker to exploit an open interface. The attacker can leverage an open naming and directory API to instantiate objects that expose callable methods without requiring further authorization or authentication. This flaw could enable attackers to read or alter the state of existing services, which poses significant risks to the integrity and confidentiality of data while maintaining service availability.",SAP,SAP AS NetWeaver JAVA,9.1,CRITICAL,0.0017800000496208668,false,false,false,false,,false,false,2023-05-09T02:15:00.000Z,0 CVE-2022-29614,https://securityvulnerability.io/vulnerability/CVE-2022-29614,,"SAP startservice - of SAP NetWeaver Application Server ABAP, Application Server Java, ABAP Platform and HANA Database - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, SAPHOSTAGENT 7.22, - on Unix systems, s-bit helper program sapuxuserchk, can be abused physically resulting in a privilege escalation of an attacker leading to low impact on confidentiality and integrity, but a profound impact on availability.",SAP,"SAP Netweaver As Abap, As Java, Abap Platform And Hana Database",5,MEDIUM,0.0005799999926239252,false,false,false,false,,false,false,2022-06-14T18:27:16.000Z,0 CVE-2022-27656,https://securityvulnerability.io/vulnerability/CVE-2022-27656,,"The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.",SAP,"SAP Netweaver As For Abap And Java (icm Administration Ui),SAP Web Dispatcher (web Administration Ui)",6.1,MEDIUM,0.0007900000200606883,false,false,false,false,,false,false,2022-05-11T14:53:55.000Z,0 CVE-2022-27669,https://securityvulnerability.io/vulnerability/CVE-2022-27669,,"An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges.",SAP,SAP Netweaver Application Server For Java,7.5,HIGH,0.0021200000774115324,false,false,false,false,,false,false,2022-04-12T16:11:31.000Z,0 CVE-2022-22534,https://securityvulnerability.io/vulnerability/CVE-2022-22534,,"Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application.",SAP,SAP Netweaver (abap And Java Application Servers),6.1,MEDIUM,0.0008999999845400453,false,false,false,false,,false,false,2022-02-09T22:05:21.000Z,0 CVE-2022-22533,https://securityvulnerability.io/vulnerability/CVE-2022-22533,,"Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.",SAP,SAP Netweaver Application Server Java,7.5,HIGH,0.0011599999852478504,false,false,false,false,,false,false,2022-02-09T22:05:20.000Z,0 CVE-2022-22532,https://securityvulnerability.io/vulnerability/CVE-2022-22532,,"In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.",SAP,SAP Netweaver Application Server Java,9.8,CRITICAL,0.0025100000202655792,false,false,false,false,,false,false,2022-02-09T22:05:19.000Z,0