SAP 漏洞列表

Sapido路由器存在命令执行漏洞 攻击者可利用该漏洞执行任意命令。 app="Sapido-路由器"

Fiori Launchpad login panel was detected.

Fiori Launchpad login panel was detected.

The SAP ICM (Internet Communication Manager) admin monitor interface is often set to public and can be accessed without authentication. The interface discloses version information about the underlying operating system, a brief SAP patch level overview, running services including their corresponding ports and more.

SAP NetWeaver Portal login has been detected. Note that NetWeaver has multiple default passwords as listed in the references.

Detection of SAP NetWeaver ABAP Webserver WebGUI

Fofa app="金和网络-金和OA"

瑞友 应用虚拟化系统 GetBSAppUrl方法存在SQL注入漏洞，由于参数传入没有进行过滤导致存在SQL注入，攻击者通过漏洞可以获取数据库敏感信息 漏洞影响：瑞友应用虚拟化系统 7.0.2.1 "CASMain.XGI?cmd=GetDirApp" && title=="瑞友应用虚拟化系统"

SAP Solution Manager contains an open redirect vulnerability via the logoff endpoint. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.

SAPRouter contains an information leakage vulnerability. fofa: protocol="sap-router"

SAProuter is a software application that provides a remote connection between our customer's network and SAP. fofa: protocol="sap-router"

Sapido多款路由器在未授权的情况下，导致任意访问者可以以Root权限执行命令 http://xxx.xxx.xxx.xxx/syscmd.asp http://xxx.xxx.xxx.xxx/syscmd.htm app="Sapido-路由器"

frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.

SAP xMII 15.0 for SAP NetWeaver 7.4 is susceptible to a local file inclusion vulnerability in the GetFileList function. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to /Catalog, aka SAP Security Note 2230978.

SAP NetWeaver Application Server Java 7.5 is susceptible to local file inclusion in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.

SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53 has two XML external entity injection (XXE) vulnerabilities within the XMLCHART page - CVE-2018-2392 and CVE-2018-2393. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart.

SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.

SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.

SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 contain a reflected cross-site scripting vulnerability via the usage of one SAP KW component within a web browser.

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.

SAP xMII 15.0 for SAP NetWeaver 7.4 is susceptible to a local file inclusion vulnerability in the GetFileList function. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to /Catalog, aka SAP Security Note 2230978.

SAP NetWeaver Application Server Java 7.5 is susceptible to local file inclusion in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.

SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53 has two XML external entity injection (XXE) vulnerabilities within the XMLCHART page - CVE-2018-2392 and CVE-2018-2393. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart.

SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.

SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.

SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 contain a reflected cross-site scripting vulnerability via the usage of one SAP KW component within a web browser.

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

JsAPI Ticket internal file is exposed.

SAP Directory Listing is enabled.

The SAP ICM (Internet Communication Manager) admin monitor interface is often set to public and can be accessed without authentication. The interface discloses version information about the underlying operating system, a brief SAP patch level overview, running services including their corresponding ports and more.

Detected a potential backdoor in SAP NetWeaver allowing unauthorized command execution.

SAP Solution Manager contains an open redirect vulnerability via the logoff endpoint. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.

SAP NetWeaver Visual Composer Metadata Uploader是德国思爱普（SAP）公司的一个用于辅助建模的工具。 SAP NetWeaver Visual Composer Metadata Uploader存在代码问题漏洞，该漏洞源于授权不当，可能导致上传恶意可执行文件。

由于宝兰德 BESAppServer 对于通过 TCP 协议传入的数据过滤不严格，允许未经授权的攻击者使用 TCP 协议向服务器发送特制的请求，可以利用反序列化漏洞在未经授权的情况下远程执行任意代码或控制服务器。

远程代码执行漏洞是指攻击者通过某些漏洞在服务器上执行任意代码，这通常是由于应用程序对外部输入的验证不足或处理不当造成的。攻击者可以利用这个漏洞上传恶意代码或直接通过HTTP请求发送恶意代码，从而控制服务器，进行包括数据窃取、网站篡改、服务器资源滥用等在内的多种恶意行为。

SAP Sybase Event Stream Processor(ESP)中存在多个非法指针引用漏洞，这些漏洞是由于监听服务对XMLRPC请求中的指针变量检验不足导致的。

北京宝兰德软件股份有限公司BES管理控制台存在未授权访问漏洞，攻击者可利用该漏洞获取敏感信息。

Sapido路由器 /syscmd.asp 存在远程命令执行漏洞

Sapido多款路由器在未授权的情况下，导致任意访问者可以以Root权限执行命令

sapido路由器存在后门页面，可在授权情况下，远程执行系统命令，导致系统被控。

北京宝兰德软件股份有限公司BES管理控制台存在逻辑缺陷漏洞，攻击者可利用该漏洞获取敏感信息。

北京宝兰德软件股份有限公司BES管理控制台存在XML实体注入漏洞，攻击者可利用该漏洞获取敏感信息。

北京宝兰德软件股份有限公司BES管理控制台存在逻辑缺陷漏洞，攻击者可利用该漏洞获取敏感信息。

SAP Sybase Event Stream Processor是德国思爱普（SAP）公司的一款Sybase事件流处理器，它能够实现交易和算法监控，帮助用户监控交易性能指标，管理自动化交易战略等。 SAP Sybase Event Stream Processor中存在远程代码执行漏洞，该漏洞源于程序没有充分过用户提交的输入。攻击者可利用该漏洞在受影响应用程序上下文中执行任意代码。

SAP Sybase Event Stream Processor是德国思爱普（SAP）公司的一款Sybase事件流处理器，它能够实现交易和算法监控，帮助用户监控交易性能指标，管理自动化交易战略等。 SAP Sybase Event Stream Processor中存在远程代码执行漏洞。攻击者可利用该漏洞在受影响库的上下文中执行任意代码。也可能造成拒绝服务。

Sapido多款路由器存在弱口令，攻击者可以通过弱口令登录后台

Sapido多款路由器在未授权的情况下，导致任意访问者可以以Root权限执行命令

SAP NetWeaver 平台爆出一个严重的漏洞，远程攻击者成功利用后可允许攻击者在目标服务器执行系统命令或造成应用崩溃。此次受到该漏洞影响的包含SAPNetWeaver 7.0以及以前版本。

SAP Solution Manager是德国思爱普（SAP）公司的一套集系统监控、SAP支持桌面、自助服务、ASAP实施等多个功能为一体的系统管理平台。该平台可以帮助客户建立SAP解决方案的生命周期管理，并提供系统监控、远程支持服务和SAP产品组件升级等功能。 SAP Solution Manager (User Experience Monitoring) 7.2版本中存在安全漏洞，该漏洞源于程序没有对服务进行任意的身份验证。攻击者可利用该漏洞入侵所有连接Solution Manager的SMDAgents。

FredReinink Wellness-app是一款基于Web的健身跟踪应用程序。 FredReinink Wellness-app 2019-06-19之前版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。

SAP Commerce Cloud是德国思爱普（SAP）公司的一套基于云的电子商务平台。该产支持销售管理、营销管理、订单管理和运营管理等。

MIT Kerberos 5（又名krb5）是美国麻省理工学院（MIT）开发的一套网络认证协议，它采用客户端/服务器结构，并且客户端和服务器端均可对对方进行身份认证（即双重验证），可防止窃听、防止replay攻击等。 MIT Kerberos 5的libgssapi_krb5库中的lib/gssapi/krb5/process_context_token.c文件中的‘krb5_gss_process_context_token’函数存在安全漏洞，该漏洞源于程序没有正确处理security-context。远程攻击者可借助特制的GSSAPI流量利用该漏洞造成拒绝服务（释放后重用和双重释放，守护进程崩溃），或执行任意代码。以下版本受到影响：MIT Kerberos 5 1.11.5及之前版本，1.12.x版本至1.12.2版本，1.13.1之前1.13.x版本。