Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-11-10 CVE-2020-26820 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file.
network
low complexity
sap CWE-434
critical
9.0
2020-10-15 CVE-2020-6364 OS Command Injection vulnerability in SAP Introscope Enterprise Manager
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection.
network
low complexity
sap CWE-78
critical
10.0
2020-08-12 CVE-2020-6294 Missing Authentication for Critical Function vulnerability in SAP Businessobjects Business Intelligence Platform 4.2/4.3
Xvfb of SAP Business Objects Business Intelligence Platform, versions - 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity.
network
low complexity
sap CWE-306
critical
9.1
2020-07-14 CVE-2020-6287 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
network
low complexity
sap CWE-306
critical
10.0
2020-06-10 CVE-2020-6275 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Abap
SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server.
network
low complexity
sap CWE-918
critical
9.8
2020-05-12 CVE-2020-6242 Missing Authentication for Critical Function vulnerability in SAP Businessobjects Business Intelligence Platform
SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate, leading to Missing Authentication Check.
network
low complexity
sap CWE-306
critical
9.8
2020-04-14 CVE-2020-6238 XXE vulnerability in SAP Commerce Cloud
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation.
network
low complexity
sap CWE-611
critical
9.3
2020-03-10 CVE-2020-6207 Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
network
low complexity
sap CWE-306
critical
10.0
2020-02-12 CVE-2020-6192 Improper Input Validation vulnerability in SAP Landscape Management 3.0
SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management.
network
low complexity
sap CWE-20
critical
9.0
2020-02-12 CVE-2020-6191 Improper Input Validation vulnerability in SAP Landscape Management 3.0
SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing Input Validation.
network
low complexity
sap CWE-20
critical
9.0