Vulnerabilities > SAP > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-12-09 | CVE-2020-26826 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java 7.31/7.40/7.50 Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload. | 6.5 |
2020-12-09 | CVE-2020-26816 | Cleartext Storage of Sensitive Information vulnerability in SAP Netweaver Application Server Java SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. | 4.5 |
2020-11-13 | CVE-2020-26825 | Cross-site Scripting vulnerability in SAP Fiori Launchpad (News Tile Application) SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2020-11-10 | CVE-2020-6316 | Missing Authorization vulnerability in SAP ERP and S/4Hana SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check. | 4.3 |
2020-11-10 | CVE-2020-26814 | Unspecified vulnerability in SAP Process Integration (Pgp Module - Business-To-Business ADD On) 1.0 SAP Process Integration (PGP Module - Business-to-Business Add On), version - 1.0, allows an attacker to read PGP Keys under certain conditions in the PGP Module of Business-to-Business Add-On, these keys can then be used to read messages processed by the module leading to Information Disclosure. | 4.9 |
2020-11-10 | CVE-2020-26811 | Server-Side Request Forgery (SSRF) vulnerability in SAP Commerce Cloud (Accelerator Payment Mock) SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability. | 5.3 |
2020-11-10 | CVE-2020-26809 | Incorrect Default Permissions vulnerability in SAP Commerce Cloud SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. | 5.3 |
2020-10-20 | CVE-2020-6370 | Cross-site Scripting vulnerability in SAP Netweaver Design Time Repository SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.8 |
2020-10-20 | CVE-2020-6369 | Unspecified vulnerability in SAP Focused RUN and Solution Manager SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service. | 5.9 |
2020-10-20 | CVE-2020-6367 | Cross-site Scripting vulnerability in SAP Netweaver Composite Application Framework There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. | 6.1 |