Vulnerabilities > SAP

DATE CVE VULNERABILITY TITLE RISK
2020-06-10 CVE-2020-6268 Missing Authorization vulnerability in SAP ERP (Ea-Finserv) and ERP (S4Core)
Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.
network
low complexity
sap CWE-862
8.1
2020-06-10 CVE-2020-6266 Open Redirect vulnerability in SAP Fiori
SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection.
network
low complexity
sap CWE-601
5.4
2020-06-10 CVE-2020-6264 Unspecified vulnerability in SAP Commerce
SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure.
network
low complexity
sap
7.5
2020-06-10 CVE-2020-6263 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass.
network
low complexity
sap CWE-306
critical
9.8
2020-06-10 CVE-2020-6260 XML Injection (aka Blind XPath Injection) vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to inject superflous data that can be displayed by the application, due to Incomplete XML Validation.
network
low complexity
sap CWE-91
5.3
2020-06-10 CVE-2020-6246 Cross-site Scripting vulnerability in SAP Netweaver AS Abap Business Server Pages
SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_TABLE, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-06-10 CVE-2020-6239 Insufficiently Protected Credentials vulnerability in SAP Business ONE 10.0/9.3
Under certain conditions SAP Business One (Backup service), versions 9.3, 10.0, allows an attacker with admin permissions to view SYSTEM user password in clear text, leading to Information Disclosure.
local
low complexity
sap CWE-522
4.4
2020-06-09 CVE-2020-6265 Use of Hard-coded Credentials vulnerability in SAP Commerce and Commerce Data HUB
SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.
network
low complexity
sap CWE-798
critical
9.8
2020-05-12 CVE-2020-6262 Code Injection vulnerability in SAP Application Server
Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application.
network
low complexity
sap CWE-94
8.8
2020-05-12 CVE-2020-6259 Missing Authorization vulnerability in SAP Adaptive Server Enterprise 15.7/16.0
Under certain conditions SAP Adaptive Server Enterprise, versions 15.7, 16.0, allows an attacker to access information which would otherwise be restricted leading to Missing Authorization Check.
network
low complexity
sap CWE-862
6.5