SAP Security Notes - 10/20 - SecurityBridge Cloud

.no-js-class { display: none; } body { background-color: #fff; }

No JavaScript!

It seems your browser does not support JavaScript or it was disable by purpose! We use JavaScript to improve the user experience. Please consider enabling it for a better usability.

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.

×

Yikes, there is work to do!
This time we found critical correction advisiories. We count 21 and the highest CVSS score is 10.0.

Severity

SAP© Security advisories 21

System Types

Affected SAP© system types

2969828

CVSS

10.0

Affected system type Solution Manager

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6364] OS Command Injection Vulnerability in CA Introscope Enterprise Manager (Affected Products: SAP Solution Manager and SAP Focused Run)

Security Advisory

2972661

CVSS

8.2

Affected system type Java

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework

Security Advisory

2969457

CVSS

7.6

Affected system type Java

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6366] Missing XML Validation in SAP NetWeaver (Compare Systems)

Security Advisory

2971638

CVSS

7.5

Affected system type SAP Solution Manager...

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run)

Security Advisory

2883638

CVSS

6.5

Affected system type ABAP

Patchday 2020-10

Released on 2020/10/13

Description Information Disclosure in Supplier Relationship Management

Security Advisory

2956398

CVSS

6.1

Affected system type Java

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6319] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java

Security Advisory

2973497

CVSS

5.7

Affected system type SAP 3D Visual Enterprise

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6315] Multiple Vulnerabilities in SAP 3D Visual Enterprise Viewer

Security Advisory

2917381

CVSS

5.4

Affected system type SAP Commerce Cloud

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6272] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud

Security Advisory

2873099

CVSS

5.4

Affected system type ABAP

Patchday 2020-10

Released on 2020/10/13

Description Missing Authorization check in EHS Task Definition attachments

Security Advisory

2960825

CVSS

5.4

Affected system type ABAP

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6368] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation

Security Advisory

2943844

CVSS

5.3

Affected system type BI/BO platform

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)

Security Advisory

2939419

CVSS

4.8

Affected system type SAP NetWeaver...

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6370] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (DI Design Time Repository)

Security Advisory

2965315

CVSS

4.7

Affected system type Java

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6365] Reverse Tabnabbing vulnerability in SAP NetWeaver AS Java Start Page

Security Advisory

2945581

CVSS

4.7

Affected system type SAP CRM UI

Patchday 2020-10

Released on 2020/09/22

Description Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI

Security Advisory

2606194

CVSS

4.4

Affected system type ABAP

Patchday 2020-10

Released on 2020/09/09

Description Cross-Site Scripting (XSS) vulnerability in CRM Interaction Center

Security Advisory

2960329

CVSS

4.4

Affected system type SAP Enterprise Portal...

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6323] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (Fiori Framework Page)

Security Advisory

2963137

CVSS

4.3

Affected system type ABAP

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6371] Information disclosure in SAP NetWeaver AS ABAP via the POWL Test Feeder endpoint

Security Advisory

2955963

CVSS

4.3

Affected system type ABAP

Patchday 2020-10

Released on 2020/10/13

Description Cross-Site Request Forgery (CSRF) in SAP Marketing

Security Advisory

2953212

CVSS

4.3

Affected system type ABAP

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6362] Incorrect Authorization in SAP Banking Services

Security Advisory

2965287

CVSS

3.7

Affected system type SAP Commerce Cloud

Patchday 2020-10

Released on 2020/10/13

Description [CVE-2020-6363] Insufficient Session Expiration in SAP Commerce Cloud

Security Advisory

2973100

CVSS

3.6

Affected system type ABAP

Patchday 2020-10

Released on 2020/10/13

Description Missing Authorization check in Manage Substitutions - Products and Manage Exclusions - Products

Security Advisory