Vendor CVEs
SAP
All CVEs
1,818 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-6284 | 0.00 | — | 0.02 | Aug 12, 2020 | SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges. If the accessing user has administrative privileges, then the execution of… | |||
| CVE-2020-6273 | 0.00 | — | 0.01 | Aug 12, 2020 | SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check. | |||
| CVE-2020-6280 | 0.00 | — | 0.01 | Jul 14, 2020 | SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure. | |||
| CVE-2020-6285 | 0.00 | — | 0.01 | Jul 14, 2020 | SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure. | |||
| CVE-2020-6276 | 0.00 | — | 0.01 | Jul 14, 2020 | SAP Business Objects Business Intelligence Platform (bipodata), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. | |||
| CVE-2020-6278 | 0.00 | — | 0.01 | Jul 14, 2020 | SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting | |||
| CVE-2020-6281 | 0.00 | — | 0.01 | Jul 14, 2020 | SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting. | |||
| CVE-2020-6282 | 0.00 | — | 0.01 | Jul 14, 2020 | SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web… | |||
| CVE-2020-6261 | 0.00 | — | 0.01 | Jul 1, 2020 | SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired. | |||
| CVE-2020-6266 | 0.00 | — | 0.01 | Jun 10, 2020 | SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection. | |||
| CVE-2020-6263 | 0.00 | — | 0.01 | Jun 10, 2020 | Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for… | |||
| CVE-2020-6260 | 0.00 | — | 0.01 | Jun 10, 2020 | SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to inject superflous data that can be displayed by the application, due to Incomplete XML Validation. The application shows additional data that do not actually exist. | |||
| CVE-2020-6275 | 0.00 | — | 0.01 | Jun 10, 2020 | SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions… | |||
| CVE-2020-6271 | 0.00 | — | 0.01 | Jun 10, 2020 | SAP Solution Manager (Problem Context Manager), version 7.2, does not perform the necessary authentication, allowing an attacker to consume large amounts of memory, causing the system to crash and read restricted data (files visible for technical administration users of the… | |||
| CVE-2020-6269 | 0.00 | — | 0.01 | Jun 10, 2020 | Under certain conditions SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure. | |||
| CVE-2020-6270 | 0.00 | — | 0.01 | Jun 10, 2020 | SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions… | |||
| CVE-2020-6268 | 0.00 | — | 0.01 | Jun 10, 2020 | Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper… | |||
| CVE-2020-6246 | 0.00 | — | 0.01 | Jun 10, 2020 | SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_TABLE, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2020-6239 | 0.00 | — | 0.00 | Jun 10, 2020 | Under certain conditions SAP Business One (Backup service), versions 9.3, 10.0, allows an attacker with admin permissions to view SYSTEM user password in clear text, leading to Information Disclosure. | |||
| CVE-2020-6265 | 0.00 | — | 0.01 | Jun 9, 2020 | SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials. | |||
| CVE-2020-6242 | 0.00 | — | 0.01 | May 12, 2020 | SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate,… | |||
| CVE-2020-6254 | 0.00 | — | 0.01 | May 12, 2020 | SAP Enterprise Threat Detection, versions 1.0, 2.0, does not sufficiently encode error response pages in case of errors, allowing XSS payload reflecting in the response, leading to reflected Cross Site Scripting. | |||
| CVE-2020-6244 | 0.00 | — | 0.00 | May 12, 2020 | SAP Business Client, version 7.0, allows an attacker after a successful social engineering attack to inject malicious code as a DLL file in untrusted directories that can be executed by the application, due to uncontrolled search path element. An attacker could thereby control… | |||
| CVE-2020-6257 | 0.00 | — | 0.01 | May 12, 2020 | SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. | |||
| CVE-2020-6262 | 0.00 | — | 0.01 | May 12, 2020 | Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the… | |||
| CVE-2020-6256 | 0.00 | — | 0.01 | May 12, 2020 | SAP Master Data Governance, versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804, allows users to display change request details without having required authorizations, due to Missing Authorization Check. | |||
| CVE-2020-6251 | 0.00 | — | 0.01 | May 12, 2020 | Under certain conditions or error scenarios SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker to access information which would otherwise be restricted. | |||
| CVE-2020-6247 | 0.00 | — | 0.01 | May 12, 2020 | SAP Business Objects Business Intelligence Platform, version 4.2, allows an unauthenticated attacker to prevent legitimate users from accessing a service. Using a specially crafted request, the attacker can crash or flood the Central Management Server, thereby impacting system… | |||
| CVE-2020-6245 | 0.00 | — | 0.00 | May 12, 2020 | SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker with access to local instance, to inject file or code that can be executed by the application due to Improper Control of Resource Identifiers. | |||
| CVE-2020-6249 | 0.00 | — | 0.01 | May 12, 2020 | The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injection. | |||
| CVE-2020-6240 | 0.00 | — | 0.01 | May 12, 2020 | SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service | |||
| CVE-2020-6212 | 0.00 | — | 0.01 | Apr 24, 2020 | Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user, allowing… | |||
| CVE-2020-6213 | 0.00 | — | 0.01 | Apr 24, 2020 | SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_PHTMLB, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, is vulnerable to reflected Cross-Site Scripting (XSS) via different URL parameters as it does not sufficiently encode user controlled… | |||
| CVE-2020-6211 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (AdminTools), versions 4.1, 4.2, allows an attacker to redirect users to a malicious site due to insufficient URL validation and steal credentials of the victim, leading to URL Redirection vulnerability. | |||
| CVE-2020-6217 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP NetWeaver AS ABAP Business Server Pages Test Application IT00, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2020-6225 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through… | |||
| CVE-2020-6195 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (CMC), version 4.1, 4.2, shows cleartext password in the response, leading to Information Disclosure. It involves social engineering in order to gain access to system and If password is known, it would give administrative… | |||
| CVE-2020-6236 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, version 1.0, allows an attacker with admin_group privileges to change ownership and permissions (including S-user ID bit s-bit) of arbitrary files remotely. This results in the possibility to execute these files… | |||
| CVE-2020-6234 | 0.00 | — | 0.04 | Apr 14, 2020 | SAP Host Agent, version 7.21, allows an attacker with admin privileges to use the operation framework to gain root privileges over the underlying operating system, leading to Privilege Escalation. | |||
| CVE-2020-6237 | 0.00 | — | 0.01 | Apr 14, 2020 | Under certain conditions, SAP Business Objects Business Intelligence Platform, version 4.1, 4.2, dswsbobje web application allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure. | |||
| CVE-2020-6235 | 0.00 | — | 0.02 | Apr 14, 2020 | SAP Solution Manager (Diagnostics Agent), version 7.2, does not perform the authentication check for the functionalities of the Collector Simulator, leading to Missing Authentication. | |||
| CVE-2020-6233 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP S/4 HANA (Financial Products Subledger and Banking Services), versions - FSAPPL 400, 450, 500 and S4FPSL 100, allows an authenticated user to run an analysis report due to Missing Authorization Check, resulting in slowing the system. | |||
| CVE-2020-6226 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2020-6231 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2020-6228 | 0.00 | — | 0.00 | Apr 14, 2020 | SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer. | |||
| CVE-2020-6224 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to… | |||
| CVE-2020-6229 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2020-6227 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files. | |||
| CVE-2020-6219 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and… | |||
| CVE-2020-6222 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
- CVE-2020-6284Aug 12, 2020risk 0.00cvss —epss 0.02
SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges. If the accessing user has administrative privileges, then the execution of…
- CVE-2020-6273Aug 12, 2020risk 0.00cvss —epss 0.01
SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check.
- CVE-2020-6280Jul 14, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure.
- CVE-2020-6285Jul 14, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
- CVE-2020-6276Jul 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (bipodata), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
- CVE-2020-6278Jul 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting
- CVE-2020-6281Jul 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting.
- CVE-2020-6282Jul 14, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web…
- CVE-2020-6261Jul 1, 2020risk 0.00cvss —epss 0.01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
- CVE-2020-6266Jun 10, 2020risk 0.00cvss —epss 0.01
SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection.
- CVE-2020-6263Jun 10, 2020risk 0.00cvss —epss 0.01
Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for…
- CVE-2020-6260Jun 10, 2020risk 0.00cvss —epss 0.01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to inject superflous data that can be displayed by the application, due to Incomplete XML Validation. The application shows additional data that do not actually exist.
- CVE-2020-6275Jun 10, 2020risk 0.00cvss —epss 0.01
SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions…
- CVE-2020-6271Jun 10, 2020risk 0.00cvss —epss 0.01
SAP Solution Manager (Problem Context Manager), version 7.2, does not perform the necessary authentication, allowing an attacker to consume large amounts of memory, causing the system to crash and read restricted data (files visible for technical administration users of the…
- CVE-2020-6269Jun 10, 2020risk 0.00cvss —epss 0.01
Under certain conditions SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
- CVE-2020-6270Jun 10, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions…
- CVE-2020-6268Jun 10, 2020risk 0.00cvss —epss 0.01
Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper…
- CVE-2020-6246Jun 10, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_TABLE, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.
- CVE-2020-6239Jun 10, 2020risk 0.00cvss —epss 0.00
Under certain conditions SAP Business One (Backup service), versions 9.3, 10.0, allows an attacker with admin permissions to view SYSTEM user password in clear text, leading to Information Disclosure.
- CVE-2020-6265Jun 9, 2020risk 0.00cvss —epss 0.01
SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.
- CVE-2020-6242May 12, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate,…
- CVE-2020-6254May 12, 2020risk 0.00cvss —epss 0.01
SAP Enterprise Threat Detection, versions 1.0, 2.0, does not sufficiently encode error response pages in case of errors, allowing XSS payload reflecting in the response, leading to reflected Cross Site Scripting.
- CVE-2020-6244May 12, 2020risk 0.00cvss —epss 0.00
SAP Business Client, version 7.0, allows an attacker after a successful social engineering attack to inject malicious code as a DLL file in untrusted directories that can be executed by the application, due to uncontrolled search path element. An attacker could thereby control…
- CVE-2020-6257May 12, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
- CVE-2020-6262May 12, 2020risk 0.00cvss —epss 0.01
Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the…
- CVE-2020-6256May 12, 2020risk 0.00cvss —epss 0.01
SAP Master Data Governance, versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804, allows users to display change request details without having required authorizations, due to Missing Authorization Check.
- CVE-2020-6251May 12, 2020risk 0.00cvss —epss 0.01
Under certain conditions or error scenarios SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker to access information which would otherwise be restricted.
- CVE-2020-6247May 12, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform, version 4.2, allows an unauthenticated attacker to prevent legitimate users from accessing a service. Using a specially crafted request, the attacker can crash or flood the Central Management Server, thereby impacting system…
- CVE-2020-6245May 12, 2020risk 0.00cvss —epss 0.00
SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker with access to local instance, to inject file or code that can be executed by the application due to Improper Control of Resource Identifiers.
- CVE-2020-6249May 12, 2020risk 0.00cvss —epss 0.01
The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injection.
- CVE-2020-6240May 12, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service
- CVE-2020-6212Apr 24, 2020risk 0.00cvss —epss 0.01
Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user, allowing…
- CVE-2020-6213Apr 24, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_PHTMLB, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, is vulnerable to reflected Cross-Site Scripting (XSS) via different URL parameters as it does not sufficiently encode user controlled…
- CVE-2020-6211Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (AdminTools), versions 4.1, 4.2, allows an attacker to redirect users to a malicious site due to insufficient URL validation and steal credentials of the victim, leading to URL Redirection vulnerability.
- CVE-2020-6217Apr 14, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP Business Server Pages Test Application IT00, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.
- CVE-2020-6225Apr 14, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through…
- CVE-2020-6195Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (CMC), version 4.1, 4.2, shows cleartext password in the response, leading to Information Disclosure. It involves social engineering in order to gain access to system and If password is known, it would give administrative…
- CVE-2020-6236Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, version 1.0, allows an attacker with admin_group privileges to change ownership and permissions (including S-user ID bit s-bit) of arbitrary files remotely. This results in the possibility to execute these files…
- CVE-2020-6234Apr 14, 2020risk 0.00cvss —epss 0.04
SAP Host Agent, version 7.21, allows an attacker with admin privileges to use the operation framework to gain root privileges over the underlying operating system, leading to Privilege Escalation.
- CVE-2020-6237Apr 14, 2020risk 0.00cvss —epss 0.01
Under certain conditions, SAP Business Objects Business Intelligence Platform, version 4.1, 4.2, dswsbobje web application allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
- CVE-2020-6235Apr 14, 2020risk 0.00cvss —epss 0.02
SAP Solution Manager (Diagnostics Agent), version 7.2, does not perform the authentication check for the functionalities of the Collector Simulator, leading to Missing Authentication.
- CVE-2020-6233Apr 14, 2020risk 0.00cvss —epss 0.01
SAP S/4 HANA (Financial Products Subledger and Banking Services), versions - FSAPPL 400, 450, 500 and S4FPSL 100, allows an authenticated user to run an analysis report due to Missing Authorization Check, resulting in slowing the system.
- CVE-2020-6226Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2020-6231Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2020-6228Apr 14, 2020risk 0.00cvss —epss 0.00
SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer.
- CVE-2020-6224Apr 14, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to…
- CVE-2020-6229Apr 14, 2020risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.
- CVE-2020-6227Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files.
- CVE-2020-6219Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and…
- CVE-2020-6222Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Page 28 of 37