Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2020-06-10 CVE-2020-6271 XML Injection (aka Blind XPath Injection) vulnerability in SAP Solution Manager 7.2
SAP Solution Manager (Problem Context Manager), version 7.2, does not perform the necessary authentication, allowing an attacker to consume large amounts of memory, causing the system to crash and read restricted data (files visible for technical administration users of the diagnostics agent).
network
low complexity
sap CWE-91
8.2
2020-06-10 CVE-2020-6268 Missing Authorization vulnerability in SAP ERP (Ea-Finserv) and ERP (S4Core)
Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.
network
low complexity
sap CWE-862
8.1
2020-06-10 CVE-2020-6264 Unspecified vulnerability in SAP Commerce
SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure.
network
low complexity
sap
7.5
2020-05-12 CVE-2020-6262 Code Injection vulnerability in SAP Application Server
Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application.
network
low complexity
sap CWE-94
8.8
2020-05-12 CVE-2020-6253 SQL Injection vulnerability in SAP Adaptive Server Enterprise 15.7/16.0
Under certain conditions, SAP Adaptive Server Enterprise (Web Services), versions 15.7, 16.0, allows an authenticated user to execute crafted database queries to elevate their privileges, modify database objects, or execute commands they are not otherwise authorized to execute, leading to SQL Injection.
network
low complexity
sap CWE-89
7.2
2020-05-12 CVE-2020-6252 Unspecified vulnerability in SAP Adaptive Server Enterprise Cockpit 16.0
Under certain conditions SAP Adaptive Server Enterprise (Cockpit), version 16.0, allows an attacker with access to local network, to get sensitive and confidential information, leading to Information Disclosure.
low complexity
sap
8.0
2020-05-12 CVE-2020-6249 SQL Injection vulnerability in SAP products
The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injection.
network
low complexity
sap CWE-89
8.8
2020-05-12 CVE-2020-6248 Improper Input Validation vulnerability in SAP Adaptive Server Enterprise Backup Server 16.0
SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection.
network
low complexity
sap CWE-20
7.2
2020-05-12 CVE-2020-6247 Unspecified vulnerability in SAP Businessobjects Business Intelligence Platform 4.2
SAP Business Objects Business Intelligence Platform, version 4.2, allows an unauthenticated attacker to prevent legitimate users from accessing a service.
network
low complexity
sap
7.5
2020-05-12 CVE-2020-6244 Uncontrolled Search Path Element vulnerability in SAP Business Client 7.0
SAP Business Client, version 7.0, allows an attacker after a successful social engineering attack to inject malicious code as a DLL file in untrusted directories that can be executed by the application, due to uncontrolled search path element.
local
low complexity
sap CWE-427
7.8