Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2020-08-12 CVE-2020-6284 Cross-site Scripting vulnerability in SAP Netweaver Knowledge Management
SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges.
network
low complexity
sap CWE-79
critical
9.0
2020-08-12 CVE-2020-6273 Missing Authorization vulnerability in SAP S/4 Hana Fiori UI for General Ledger Accounting 103/104
SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check.
network
low complexity
sap CWE-862
4.3
2020-07-14 CVE-2020-6292 Insufficient Session Expiration vulnerability in SAP Disclosure Management 10.1
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.
network
low complexity
sap CWE-613
8.8
2020-07-14 CVE-2020-6291 Insufficient Session Expiration vulnerability in SAP Disclosure Management 10.1
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
network
low complexity
sap CWE-613
8.8
2020-07-14 CVE-2020-6290 Session Fixation vulnerability in SAP Disclosure Management 10.1
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
network
low complexity
sap CWE-384
6.3
2020-07-14 CVE-2020-6289 Cross-Site Request Forgery (CSRF) vulnerability in SAP Disclosure Management 10.1
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
network
low complexity
sap CWE-352
8.8
2020-07-14 CVE-2020-6287 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
network
low complexity
sap CWE-306
critical
10.0
2020-07-14 CVE-2020-6286 Path Traversal vulnerability in SAP Netweaver Application Server Java
The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.
network
low complexity
sap CWE-22
5.3
2020-07-14 CVE-2020-6285 Unspecified vulnerability in SAP Netweaver
SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
network
low complexity
sap
6.5
2020-07-14 CVE-2020-6282 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application.
network
low complexity
sap CWE-918
5.8