CVE-2021-27607

SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions – KRNL32NUC – 7.22,7.22EXT, KRNL32UC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThSncIn() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.

Source: CVE-2021-27607

CVE-2021-21490

SAP NetWeaver AS for ABAP (Web Survey), versions – 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.

Source: CVE-2021-21490

CVE-2021-27628

SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions – KRNL32NUC – 7.22,7.22EXT, KRNL32UC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method DpRTmPrepareReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.

Source: CVE-2021-27628

CVE-2021-21473

SAP NetWeaver AS ABAP and ABAP Platform, versions – 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.

Source: CVE-2021-21473

CVE-2021-33668

Due to improper input sanitization, specially crafted LDAP queries can be injected by an unauthenticated user. This could partially impact the confidentiality of the application.

Source: CVE-2021-33668

CVE-2021-3533

A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

Source: CVE-2021-3533

CVE-2021-3532

A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

Source: CVE-2021-3532

CVE-2021-34369

portlets/contact/ref/refContactDetail.do in Accela Civic Platform through 20.1 allows remote attackers to obtain sensitive information via a modified contactSeqNumber value.

Source: CVE-2021-34369

CVE-2021-34370

Accela Civic Platform through 20.1 allows ssoAdapter/logoutAction.do successURL XSS.

Source: CVE-2021-34370

CVE-2021-33842

Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located.

Source: CVE-2021-33842