Sap: Security Vulnerabilities
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-07-25
SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592.
CVSS Score
9.8
EPSS Score
0.02
Published
2017-07-25
Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-07-25
SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service (process crash) via vectors involving disp+work.exe, aka SAP Security Note 2406841.
CVSS Score
2.7
EPSS Score
0.003
Published
2017-07-12
SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer deserializes a malicious object that may cause legitimate users accessing a service, either by crashing or flooding the service.
CVSS Score
7.5
EPSS Score
0.017
Published
2017-07-12
disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted DIAG request, aka SAP Security Note 2405918.
CVSS Score
7.5
EPSS Score
0.042
Published
2017-07-12
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality.
CVSS Score
5.4
EPSS Score
0.003
Published
2017-06-15
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.
CVSS Score
9.6
EPSS Score
0.101
Published
2017-05-26
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.
CVSS Score
8.8
EPSS Score
0.006
Published
2017-05-23
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694.
CVSS Score
8.3
EPSS Score
0.005
Published
2017-05-23