Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-12-09 CVE-2020-26826 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java 7.31/7.40/7.50
Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.
network
low complexity
sap CWE-434
6.5
2020-12-09 CVE-2020-26816 Cleartext Storage of Sensitive Information vulnerability in SAP Netweaver Application Server Java
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted.
low complexity
sap CWE-312
4.5
2020-11-13 CVE-2020-26825 Cross-site Scripting vulnerability in SAP Fiori Launchpad (News Tile Application)
SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-11-10 CVE-2020-6316 Missing Authorization vulnerability in SAP ERP and S/4Hana
SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check.
network
low complexity
sap CWE-862
4.3
2020-11-10 CVE-2020-26814 Unspecified vulnerability in SAP Process Integration (Pgp Module - Business-To-Business ADD On) 1.0
SAP Process Integration (PGP Module - Business-to-Business Add On), version - 1.0, allows an attacker to read PGP Keys under certain conditions in the PGP Module of Business-to-Business Add-On, these keys can then be used to read messages processed by the module leading to Information Disclosure.
network
low complexity
sap
4.9
2020-11-10 CVE-2020-26811 Server-Side Request Forgery (SSRF) vulnerability in SAP Commerce Cloud (Accelerator Payment Mock)
SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability.
network
low complexity
sap CWE-918
5.3
2020-11-10 CVE-2020-26809 Incorrect Default Permissions vulnerability in SAP Commerce Cloud
SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders.
network
low complexity
sap CWE-276
5.3
2020-10-20 CVE-2020-6370 Cross-site Scripting vulnerability in SAP Netweaver Design Time Repository
SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
4.8
2020-10-20 CVE-2020-6369 Unspecified vulnerability in SAP Focused RUN and Solution Manager
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service.
network
high complexity
sap
5.9
2020-10-20 CVE-2020-6367 Cross-site Scripting vulnerability in SAP Netweaver Composite Application Framework
There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50.
network
low complexity
sap CWE-79
6.1