Vulnerabilities > SAP > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-03-10 CVE-2020-6178 Information Exposure vulnerability in SAP Enable NOW 10/1902/1908
SAP Enable Now, before version 1911, sends the Session ID cookie value in URL.
network
low complexity
sap CWE-200
5.4
2020-03-09 CVE-2015-7968 XXE vulnerability in SAP Netweaver Application Server
nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI.
network
low complexity
sap CWE-611
4.3
2020-02-12 CVE-2020-6193 Cross-site Scripting vulnerability in SAP Netweaver Knowledge Management
SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-02-12 CVE-2020-6190 Information Exposure vulnerability in SAP Netweaver Application Server Java
Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.
network
low complexity
sap CWE-200
5.8
2020-02-12 CVE-2020-6189 Information Exposure Through an Error Message vulnerability in SAP Businessobjects Business Intelligence Platform 4.2
Certain settings page(s) in SAP Business Objects Business Intelligence Platform (CMC), version 4.2, generates error messages that can give enterprise private-network related information which would otherwise be restricted leading to Information Disclosure.
network
low complexity
sap CWE-209
5.3
2020-02-12 CVE-2020-6187 XXE vulnerability in SAP Netweaver Guided Procedures
SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service.
network
low complexity
sap CWE-611
4.9
2020-02-12 CVE-2020-6185 Cross-site Scripting vulnerability in SAP Netweaver and S/4Hana
Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.
network
low complexity
sap CWE-79
5.4
2020-02-12 CVE-2020-6184 Cross-site Scripting vulnerability in SAP Netweaver and S/4Hana
Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.1
2020-02-12 CVE-2020-6183 Missing Authorization vulnerability in SAP Host Agent 7.21
SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g.
network
low complexity
sap CWE-862
6.5
2020-02-12 CVE-2020-6181 Unspecified vulnerability in SAP Abap Platform and Netweaver
Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker to include invalidated data in the HTTP response header sent to a Web user, leading to HTTP Response Splitting vulnerability.
network
low complexity
sap
5.8