Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2020-11-10 CVE-2020-26820 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file.
network
low complexity
sap CWE-434
7.2
2020-11-10 CVE-2020-26819 Unspecified vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control.
network
low complexity
sap
8.8
2020-11-10 CVE-2020-26818 Missing Authorization vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.
network
low complexity
sap CWE-862
8.8
2020-11-10 CVE-2020-26817 Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9
SAP 3D Visual Enterprise Viewer, version - 9, allows an user to open manipulated HPGL file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
local
low complexity
sap CWE-787
7.8
2020-11-10 CVE-2020-26815 Server-Side Request Forgery (SSRF) vulnerability in SAP Fiori Launchpad (News Tile Application)
SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application.
network
low complexity
sap CWE-918
8.6
2020-11-10 CVE-2020-26814 Unspecified vulnerability in SAP Process Integration (Pgp Module - Business-To-Business ADD On) 1.0
SAP Process Integration (PGP Module - Business-to-Business Add On), version - 1.0, allows an attacker to read PGP Keys under certain conditions in the PGP Module of Business-to-Business Add-On, these keys can then be used to read messages processed by the module leading to Information Disclosure.
network
low complexity
sap
4.9
2020-11-10 CVE-2020-26811 Server-Side Request Forgery (SSRF) vulnerability in SAP Commerce Cloud (Accelerator Payment Mock)
SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability.
network
low complexity
sap CWE-918
5.3
2020-11-10 CVE-2020-26810 Unspecified vulnerability in SAP Commerce Cloud (Accelerator Payment Mock)
SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request can render the SAP Commerce service itself unavailable leading to Denial of Service with no impact on confidentiality or integrity.
network
low complexity
sap
7.5
2020-11-10 CVE-2020-26809 Incorrect Default Permissions vulnerability in SAP Commerce Cloud
SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders.
network
low complexity
sap CWE-276
5.3
2020-11-10 CVE-2020-26808 Unspecified vulnerability in SAP AS Abap(Dmis) and SAP S4 Hana(Dmis)
SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application.
network
low complexity
sap
7.2