Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-12-09 CVE-2020-26836 Open Redirect vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack.
network
low complexity
sap CWE-601
6.1
2020-12-09 CVE-2020-26835 Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-12-09 CVE-2020-26834 Improper Authentication vulnerability in SAP Hana Database 2.00
SAP HANA Database, version - 2.0, does not correctly validate the username when performing SAML bearer token-based user authentication.
network
low complexity
sap CWE-287
5.4
2020-12-09 CVE-2020-26828 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Disclosure Management 10.1
SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type.
network
low complexity
sap CWE-434
6.4
2020-12-09 CVE-2020-26826 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java 7.31/7.40/7.50
Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.
network
low complexity
sap CWE-434
6.5
2020-12-09 CVE-2020-26816 Cleartext Storage of Sensitive Information vulnerability in SAP Netweaver Application Server Java
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted.
low complexity
sap CWE-312
4.5
2020-11-13 CVE-2020-26825 Cross-site Scripting vulnerability in SAP Fiori Launchpad (News Tile Application)
SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-11-10 CVE-2020-6316 Missing Authorization vulnerability in SAP ERP and S/4Hana
SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check.
network
low complexity
sap CWE-862
4.3
2020-11-10 CVE-2020-26814 Unspecified vulnerability in SAP Process Integration (Pgp Module - Business-To-Business ADD On) 1.0
SAP Process Integration (PGP Module - Business-to-Business Add On), version - 1.0, allows an attacker to read PGP Keys under certain conditions in the PGP Module of Business-to-Business Add-On, these keys can then be used to read messages processed by the module leading to Information Disclosure.
network
low complexity
sap
4.9
2020-11-10 CVE-2020-26811 Server-Side Request Forgery (SSRF) vulnerability in SAP Commerce Cloud (Accelerator Payment Mock)
SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability.
network
low complexity
sap CWE-918
5.3