Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-07-14 CVE-2020-6287 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
network
low complexity
sap CWE-306
critical
10.0
2020-06-10 CVE-2020-6275 Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Abap
SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server.
network
low complexity
sap CWE-918
critical
9.8
2020-06-10 CVE-2020-6263 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass.
network
low complexity
sap CWE-306
critical
9.8
2020-06-09 CVE-2020-6265 Use of Hard-coded Credentials vulnerability in SAP Commerce and Commerce Data HUB
SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.
network
low complexity
sap CWE-798
critical
9.8
2020-05-12 CVE-2020-6242 Missing Authentication for Critical Function vulnerability in SAP Businessobjects Business Intelligence Platform
SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate, leading to Missing Authentication Check.
network
low complexity
sap CWE-306
critical
9.8
2020-04-14 CVE-2020-6195 Insufficiently Protected Credentials vulnerability in SAP Businessobjects Business Intelligence Platform 4.1/4.2
SAP Business Objects Business Intelligence Platform (CMC), version 4.1, 4.2, shows cleartext password in the response, leading to Information Disclosure.
network
low complexity
sap CWE-522
critical
9.8
2020-04-14 CVE-2020-6238 XXE vulnerability in SAP Commerce Cloud
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation.
network
low complexity
sap CWE-611
critical
9.3
2020-03-10 CVE-2020-6207 Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
network
low complexity
sap CWE-306
critical
9.8
2020-03-10 CVE-2020-6203 Path Traversal vulnerability in SAP Netweaver
SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs, leading to Path Traversal.
network
low complexity
sap CWE-22
critical
9.1
2020-03-10 CVE-2020-6198 Cleartext Transmission of Sensitive Information vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources.
network
low complexity
sap CWE-319
critical
9.8