Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-12-09 CVE-2020-26837 Path Traversal vulnerability in SAP Solution Manager 7.20
SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable.
network
low complexity
sap CWE-22
critical
9.1
2020-12-09 CVE-2020-26831 Unspecified vulnerability in SAP Businessobjects Business Intelligence Platform 4.1/4.2/4.3
SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS).
network
low complexity
sap
critical
9.6
2020-12-09 CVE-2020-26829 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication.
network
low complexity
sap CWE-306
critical
10.0
2020-11-10 CVE-2020-26824 Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Legacy Ports Service, this has an impact to the integrity and availability of the service.
network
low complexity
sap CWE-306
critical
10.0
2020-11-10 CVE-2020-26823 Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Diagnostics Agent Connection Service, this has an impact to the integrity and availability of the service.
network
low complexity
sap CWE-306
critical
10.0
2020-11-10 CVE-2020-26822 Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Outside Discovery Configuration Service, this has an impact to the integrity and availability of the service.
network
low complexity
sap CWE-306
critical
10.0
2020-11-10 CVE-2020-26821 Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service.
network
low complexity
sap CWE-306
critical
10.0
2020-10-15 CVE-2020-6364 OS Command Injection vulnerability in SAP Introscope Enterprise Manager
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection.
network
low complexity
sap CWE-78
critical
10.0
2020-08-12 CVE-2020-6294 Missing Authentication for Critical Function vulnerability in SAP Businessobjects Business Intelligence Platform 4.2/4.3
Xvfb of SAP Business Objects Business Intelligence Platform, versions - 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity.
network
low complexity
sap CWE-306
critical
9.1
2020-08-12 CVE-2020-6284 Cross-site Scripting vulnerability in SAP Netweaver Knowledge Management
SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges.
network
low complexity
sap CWE-79
critical
9.0