SAP NetWeaver J2EE Engine version 7.40 suffers from a cryptographic issue that can lead to information disclosure.
4a8752f48a5fa73baa980c9abecb1d2a2c71088e4ae41dc5af67c4faa1a59f5b
SAP NetWeaver J2EE engine version 7.40 suffers from a cross site scripting vulnerability.
4d45bc8c91a6d3d36af7f90ad4341ee0314fc7fffe6fbc4ec7d2cfe5c83dab9f
SAP NetWeaver J2EE engine version 7.40 suffers from a remote SQL injection vulnerability.
b8ba26b8f5b9d0f92e607106034454f1bc8b74eff9a4d560a2a111acb23b6525
SAP Mobile Platform version 2.3 suffers from an XML external entity injection vulnerability.
763ac979871c176d5a9e6b1f185a1e6109b4d7b5f4517066de0a8a2a92f8f153
SAP NetWeaver AS Java version 7.4 suffers from multiple XXE vulnerabilities. An attacker can read an arbitrary file on a server by sending a correct XML request with a crafted DTD and reading the response from the service. An attacker can perform a DoS attack (for example, XML Entity Expansion). An SMB Relay attack is a type of Man-in-the-Middle attack where the attacker asks the victim to authenticate into a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways and gets access.
02e1d0a4e09aea20fa9d257a9bab83f794b1d6fbe455cfe78e609b89f08f57bd
SAP NetWeaver AS Java version 7.4 suffers from an XXE injection vulnerability. Related CVE Number: CVE-2015-4091.
6cfc59352a8bee96dd51e5b8172b86529f4d78b89fc4d04fbb33af78e0cd1d52
An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox.
fe1cf8309000f17cec08e939b1bf7ce76af4a964b50042b4e935fea7d6db7d68
SAP has released the monthly critical patch update for August 2015. This patch update closes 22 vulnerabilities in SAP products, 15 have high priority, some of them belong to the SAP HANA security area. The most popular vulnerability is cross site scripting.
ee31bc13be4242371858e63b399fe7e6e376803421f553b15b566f75b404d801
SAP Mobile Platform version 3.0 suffers from an XXE injection vulnerability. The problem is caused by a program error due to the incorrect use of an XML parser (/mobiliser servlet). By default, the parser opens external entities referenced within an XML input, which can then lead to malicious content being parsed. This malicious content can reference internal resources, such as files. These internal resources can be disclosed in the response to the request, or can be used to perform a denial of service attack on the parsing system, rendering the application content temporarily unavailable.
e89aaed13c5a2c5ac4e974c044a080f19bad90ce384d9fca4ba8d2c791e1c274
SYBASE SQL Anywhere versions 12 and 16 suffer from a denial of service vulnerability. An attacker can trigger a condition in which the process ceases to run. This condition can be intentionally provoked by an attacker to cause denial of service.
ef63dab3201ae56b98a3747344e684a2c732c5d74e07e8556040954ed9c8255f
SAP Afaria version 7 suffers from a missing authorization check vulnerability. An attacker can use a missing authorization check to access the service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.
c31ed536e135ffd5dbbb2b9995e77c71bf0e3b40facee2e84ca09d91541fb8f9
SAP Afaria version 7 suffers from a denial of service vulnerability in the XcListener module XeClient.Dll.
4503c9ec3011161fd5c3290385f680e3e08aa75980cccaccad5ba5c7f657478f
SAP NetWeaver Portal version 7.31 suffers from an XXE injection vulnerability. By default, the parser opens external entities referenced within an XML input, which can then lead to malicious content being parsed. This malicious content can reference internal resources, such as files. These internal resources can be disclosed in the response to the request, or can be used to perform a denial of service attack on the parsing system, rendering the application content temporarily unavailable.
b46458ceeb29478ddffbd1e176b6e2695088708178f75445d879b1a591dbce9f
SAP NetWeaver Portal version 7.31 suffers from an XXE injection vulnerability. The problem is caused by a program error in 'ValidationComponent' due to the incorrect use of an XML parser. By default, the parser opens external entities referenced within an XML input, which can then lead to malicious content being parsed. This malicious content can reference internal resources, such as files. These internal resources can be disclosed in the response to the request, or can be used to perform a denial of service attack on the parsing system, rendering the application content temporarily unavailable.
9756bc993b8745281faa7c356860f96edc0f791cd1ec7201932b24da9da7b059
SAP has released the monthly critical patch update for June 2015. This patch update closes buffer overflow, remote SQL injection, XML eXternal Entity, and hardcoded credentials vulnerabilities.
19387f24cc2e3fc9d5721e3adda4e660354e12481fa568f2e559c14584e13347