Description
The J2EE Engine in SAP NetWeaver 6.40, 7.02, and earlier allows remote attackers to redirect users to arbitrary web sites, conduct phishing attacks, and obtain sensitive information (cookies and SAPPASSPORT) via unspecified vectors.
References (4)
Core 4
Core References
Various Sources x_refsource_confirm
https://service.sap.com/sap/support/notes/1854826
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/55778
Various Sources x_refsource_confirm
http://scn.sap.com/docs/DOC-8218
Third Party Advisory x_refsource_misc
https://erpscan.io/advisories/erpscan-13-021-sap-portal-unvalidated-redirect/
Scores
EPSS
0.0031
EPSS Percentile
53.9%
Details
CWE
CWE-20
Status
published
Products (2)
sap/netweaver
6.4
sap/netweaver
< 7.02
Published
Nov 20, 2013
Tracked Since
Feb 18, 2026