Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21446 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service. | |||||
| CVE-2020-26835 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-26819 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 6.5 MEDIUM | 8.8 HIGH |
| SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control. | |||||
| CVE-2020-26818 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 6.5 MEDIUM | 8.8 HIGH |
| SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure. | |||||
| CVE-2020-6371 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure. | |||||
| CVE-2020-6310 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2022-10-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure. | |||||
| CVE-2020-6299 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2022-10-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure. | |||||
| CVE-2020-6296 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2022-10-05 | 6.5 MEDIUM | 8.8 HIGH |
| SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application. | |||||
| CVE-2020-6280 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2022-10-05 | 4.0 MEDIUM | 2.7 LOW |
| SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure. | |||||
| CVE-2020-6275 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 6.8 MEDIUM | 9.8 CRITICAL |
| SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database. | |||||
| CVE-2020-6270 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices. | |||||
| CVE-2020-6240 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service | |||||
| CVE-2019-0321 | 1 Sap | 2 Netweaver Application Server Abap, Netweaver As Abap | 2022-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-41443 | 1 Phpipam | 1 Phpipam | 2022-10-05 | N/A | 9.8 CRITICAL |
| phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php. | |||||
| CVE-2022-42247 | 1 Pfsense | 1 Pfsense | 2022-10-05 | N/A | 6.1 MEDIUM |
| pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name. | |||||
| CVE-2022-38817 | 1 Linuxfoundation | 1 Dapr Dashboard | 2022-10-05 | N/A | 7.5 HIGH |
| Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data. | |||||
| CVE-2021-21875 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-10-05 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in EC keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21874 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-10-05 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in DSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-44532 | 3 Debian, Nodejs, Oracle | 9 Debian Linux, Node.js, Graalvm and 6 more | 2022-10-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. | |||||
| CVE-2021-44531 | 2 Nodejs, Oracle | 8 Node.js, Graalvm, Mysql Cluster and 5 more | 2022-10-05 | 5.8 MEDIUM | 7.4 HIGH |
| Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. | |||||