Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2020-09-09 CVE-2020-6302 Unspecified vulnerability in SAP Commerce
SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially.
network
high complexity
sap
8.1
2020-08-12 CVE-2020-6309 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.
network
low complexity
sap CWE-306
7.5
2020-08-12 CVE-2020-6301 Missing Authorization vulnerability in SAP HCM Travel Management
SAP ERP (HCM Travel Management), versions - 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to read, modify and settle trips, resulting in escalation of privileges, due to Missing Authorization Check.
network
low complexity
sap CWE-862
8.1
2020-08-12 CVE-2020-6298 Missing Authorization vulnerability in SAP Generic Market Data 400/450/500
SAP Banking Services (Generic Market Data), versions - 400, 450, 500, allows an unauthorized user to display protected Business Partner Generic Market Data (GMD) and change related GMD key figure values, due to Missing Authorization Check.
network
low complexity
sap CWE-862
8.1
2020-08-12 CVE-2020-6296 Unspecified vulnerability in SAP Abap Platform and Netweaver Application Server Abap
SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection.
network
low complexity
sap
8.8
2020-08-12 CVE-2020-6295 Incorrect Permission Assignment for Critical Resource vulnerability in SAP Adaptive Server Enterprise 16.0
Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit.
local
low complexity
sap CWE-732
7.8
2020-07-14 CVE-2020-6292 Insufficient Session Expiration vulnerability in SAP Disclosure Management 10.1
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.
network
low complexity
sap CWE-613
8.8
2020-07-14 CVE-2020-6291 Insufficient Session Expiration vulnerability in SAP Disclosure Management 10.1
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
network
low complexity
sap CWE-613
8.8
2020-07-14 CVE-2020-6289 Cross-Site Request Forgery (CSRF) vulnerability in SAP Disclosure Management 10.1
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
network
low complexity
sap CWE-352
8.8
2020-06-10 CVE-2020-6271 XML Injection (aka Blind XPath Injection) vulnerability in SAP Solution Manager 7.2
SAP Solution Manager (Problem Context Manager), version 7.2, does not perform the necessary authentication, allowing an attacker to consume large amounts of memory, causing the system to crash and read restricted data (files visible for technical administration users of the diagnostics agent).
network
low complexity
sap CWE-91
8.2