Filtered by vendor Sap
Subscriptions
Total
1493 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-6223 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 6.1 Medium |
| The open document of SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into accessing these error pages rendered by the application, leading to Content Spoofing. | ||||
| CVE-2020-6309 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 7.5 High |
| SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service. | ||||
| CVE-2020-6264 | 1 Sap | 1 Commerce | 2024-08-04 | 7.5 High |
| SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure. | ||||
| CVE-2020-6329 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-08-04 | 4.3 Medium |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SKP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | ||||
| CVE-2020-6320 | 1 Sap | 1 Marketing | 2024-08-04 | 8.1 High |
| SAP Marketing (Servlet), version-130,140,150, allows an authenticated attacker to invoke certain functions that are restricted. Limited knowledge of payload is required for an attacker to exploit the vulnerability and perform tasks related to contact and interaction data which impacts Confidentiality and Integrity of data in the application. | ||||
| CVE-2020-6289 | 1 Sap | 1 Disclosure Management | 2024-08-04 | 8.8 High |
| SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site. | ||||
| CVE-2020-6308 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 5.3 Medium |
| SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability. | ||||
| CVE-2020-6330 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-08-04 | 4.3 Medium |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated 3DM file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | ||||
| CVE-2020-6296 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2024-08-04 | 8.8 High |
| SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application. | ||||
| CVE-2020-6268 | 1 Sap | 2 Erp \(ea-finserv\), Erp \(s4core\) | 2024-08-04 | 8.1 High |
| Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check. | ||||
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-04 | 10.0 Critical |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | ||||
| CVE-2020-6256 | 1 Sap | 1 Master Data Governance | 2024-08-04 | 4.3 Medium |
| SAP Master Data Governance, versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804, allows users to display change request details without having required authorizations, due to Missing Authorization Check. | ||||
| CVE-2020-6258 | 1 Sap | 1 Identity Management | 2024-08-04 | 6.5 Medium |
| SAP Identity Management, version 8.0, does not perform necessary authorization checks for an authenticated user, allowing the attacker to view certain sensitive information of the victim, leading to Missing Authorization Check. | ||||
| CVE-2020-6291 | 1 Sap | 1 Disclosure Management | 2024-08-04 | 8.8 High |
| SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration | ||||
| CVE-2020-6281 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 6.1 Medium |
| SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting. | ||||
| CVE-2020-6226 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 5.4 Medium |
| SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2020-6273 | 1 Sap | 1 S\/4 Hana Fiori Ui For General Ledger Accounting | 2024-08-04 | 4.3 Medium |
| SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check. | ||||
| CVE-2020-6295 | 1 Sap | 1 Adaptive Server Enterprise | 2024-08-04 | 7.8 High |
| Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit. This compromise could enable the attacker to view, modify and/or make unavailable any data associated with the Cockpit, leading to Information Disclosure. | ||||
| CVE-2020-6238 | 1 Sap | 1 Commerce Cloud | 2024-08-04 | 9.3 Critical |
| SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce. | ||||
| CVE-2020-6260 | 1 Sap | 1 Solution Manager | 2024-08-04 | 5.3 Medium |
| SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to inject superflous data that can be displayed by the application, due to Incomplete XML Validation. The application shows additional data that do not actually exist. | ||||