Netweaver Application Server Java
CVE-2020-26826
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.
AnalysisAI
Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload. Affected products include: Sap Netweaver Application Server Java.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remo
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication c
Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbi
SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary conne
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization
SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not pe
Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10,
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator Sy
SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high priv
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allo
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML
The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote auth
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today