Severity

SAP© Security advisories 160

 System Types

Affected SAP© system types

_Description
[CVE-2020-6294] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform

_Description
[CVE-2020-6297] Information Disclosure in SAP Data Intelligence

_Description
[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)

_Description
[CVE-2020-6299] Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform

_Description
[CVE-2020-6295] Information Disclosure in SAP Adaptive Server Enterprise

_Description
Vulnerabilities in open source libraries used in SAP Commerce

_Description
Cross-Site Scripting (XSS) vulnerabilities in modified jQuery bundled with SAPUI5

_Description
[CVE-2020-6301] Missing Authorization check in SAP ERP (HCM Travel Management)

_Description
[CVE-2020-6300] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Central Management Console)

_Description
[CVE-2020-6296] Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform

_Description
Missing Authorization check in TSW Supply Chain Visualization

_Description
[CVE-2020-6298] Missing Authorization check in SAP Banking Services (Generic Market Data)

_Description
Potential information disclosure in Lumira Designer

_Description
[CVE-2020-6273] Missing Authorization check in SAP S/4 HANA (Fiori UI for General Ledger Accounting)

_Description
[CVE-2020-6293] Unrestricted File Upload in SAP NetWeaver (Knowledge Management)

_Description
[CVE-2020-6310] Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform

_Description
BI Platform stores SAP BW Authentication Password as clear text

_Description
[CVE-2020-6309] Missing Authentication check in SAP NetWeaver AS JAVA

_Description
Checking server certificates and host name of managed systems

_Description
Missing authorization check in Allocation Management

_Description
[CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)

_Description
[CVE-2020-6267] Multiple vulnerabilities in SAP Disclosure Management

_Description
Missing Authorization check in Travel Management

_Description
[CVE-2020-6282] Server-Side Request Forgery in SAP NetWeaver AS JAVA (IIOP service)

_Description
[CVE-2020-6280] Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform

_Description
Missing Authorization check in Pricat Inbound and Pricat Outbound

_Description
Directory traversal in BC-MID-ICF

_Description
Switchable Authorization checks for RFC in MM-PUR-GF

_Description
[CVE-2020-6278] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC)

_Description
[CVE-2020-6281] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(BI Launch pad)

_Description
Missing Authorization Check in S4 ACR Brazil Option

_Description
[CVE-2020-6285] Information Disclosure in SAP NetWeaver (XMLToolkit for Java)

_Description
Switchable authorization checks for RFC in SAP CRM (external billing)

_Description
[CVE-2020-6276] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Bipodata)

_Description
[CVE-2020-6265] Use of Hard-coded Credentials in SAP Commerce and SAP Commerce Datahub

_Description
Multiple vulnerabilities in Adobe LiveCycle Designer 11.0

_Description
Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI

_Description
Ghostcat' Apache Tomcat AJP Vulnerability in SAP Liquidity Management for Banking

_Description
[CVE-2020-6271] Missing XML Validation in SAP Solution Manager (Problem Context Manager)

_Description
[CVE-2020-6275] Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP

_Description
[CVE-2020-6263] Authentication Bypass in Standalone Clients connecting to SAP NetWeaver AS Java via P4 Protocol

_Description
[CVE-2020-6270] Missing Authorization check in SAP Netweaver AS ABAP (Banking Services)

_Description
[CVE-2020-6279] Missing Authorization Check in SAP SuccessFactors Recruiting

_Description
[CVE-2020-6246] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP ( Business Server Pages Test Application SBSPEXT_TABLE)

_Description
[CVE-2020-6269] Information Disclosure in SAP Business Objects Business Intelligence Platform

_Description
[CVE-2020-6264] Information Disclosure in SAP Commerce

_Description
[CVE-2020-6268] Missing authorization check in SAP ERP (Statutory Reporting for Insurance Companies)

_Description
[CVE-2020-6239] Information Disclosure in SAP Business One (Backup Service)

_Description
Update 1 to Security Note 2752614 - [CVE-2019-0319] Content Injection Vulnerability in SAP Gateway

_Description
[CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA

_Description
[CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA

_Description
[CVE-2020-6260] Incomplete XML Validation in SAP Solution Manager (Trace Analysis)

_Description
Switchable Authorization checks for RFC in Environment, Health & Safety

_Description
[CVE-2020-6254] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection

_Description
[CVE-2020-6252] Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)

_Description
[CVE-2020-6259] Missing authorization check in SAP Adaptive Server Enterprise

_Description
[CVE-2020-6248] Code injection in SAP Adaptive Server Enterprise (Backup Server)

_Description
[CVE-2020-6262] Code Injection vulnerability in Service Data Download

_Description
[CVE-2020-6243] Code Injection in SAP Adaptive Server Enterprise (XP Server on Windows Platform)

_Description
[CVE-2020-6258] Missing Authorization check in SAP Identity Management

_Description
[CVE-2020-6241] SQL Injection vulnerability in SAP Adaptive Server Enterprise

_Description
This note has been re-released without changes - Cross-Site Request Forgery (CSRF) vulnerability in SAP WebDynpro ABAP

_Description
[CVE-2020-6250] Information Disclosure in SAP Adaptive Server Enterprise

_Description
[CVE-2020-6253] SQL Injection vulnerability in SAP Adaptive Server Enterprise (Web Services)

_Description
[CVE-2020-6235] Missing authentication check in SAP Solution Manager (Diagnostics Agent )

_Description
[CVE-2020-6219] Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)

_Description
[CVE-2020-6212] Missing Authorization Check in SAP ERP & S/4 HANA (Egypt localized Withholding Tax reports)

_Description
[CVE-2020-6227] Remote unauthenticated log injection in SAP Business Objects Business Intelligence Platform (CMS / Auditing issues)

_Description
[CVE-2020-6228] Missing Integrity Check in SAP BUSINESS CLIENT

_Description
[CVE-2020-6226] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface)

_Description
Switchable Authorization checks in SAP Supplier Relationship Management

_Description
[CVE-2020-6213]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP(Business Server Pages Test Application SBSPEXT_PHTMLB)

_Description
[CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00

_Description
[CVE-2020-6216] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BILaunchpad/Opendocument)

_Description
[CVE-2020-6195] Multiple vulnerabilities in SAP Business Objects Business Intelligence Platform

_Description
[CVE-2020-6232] Missing Authorization check in SAP Commerce

_Description
[CVE-2020-6229] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME)

_Description
[CVE-2020-6214] Incorrect Authorization in SAP S/4HANA (Financial Products Subledger)

_Description
[CVE-2020-6238] Missing XML Validation vulnerability in SAP Commerce

_Description
[CVE-2020-6230] Code Injection vulnerability in SAP OrientDB 3.0

_Description
[CVE-2020-6233] Missing Authorization Check in SAP S/4 HANA (Financial Products Subledger and Banking Services)

_Description
[CVE-2020-6224] Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service)

_Description
[CVE-2020-6234] Privilege Escalation in SAP Host Agent

_Description
[CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions)

_Description
[CVE-2020-6237] Information Disclosure in SAP Business Objects Business Intelligence Platform (dswsbobje Web Application)

_Description
[CVE-2020-6225] Directory Traversal vulnerability in SAP NetWeaver (Knowledge Management)

_Description
[CVE-2020-6217] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages Test Application IT05)

_Description
[CVE-2020-6222] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)

_Description
[CVE-2020-6203] Path Manipulation in SAP NetWeaver UDDI Server(Services Registry)

_Description
[CVE-2018-2450] SQL Injection Vulnerability in SAP MaxDB/liveCache

_Description
[CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)

_Description
[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)

_Description
[CVE-2020-6202] Missing XML Validation in SAP NetWeaver Application Server Java (User Management Engine)

_Description
Missing Authorization check in Commercial Project Management

_Description
[CVE-2020-6205] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages  (Smart Forms)

_Description
[CVE-2020-6178] Insufficient session expiration in SAP Enable Now Manager

_Description
[CVE-2020-6199] Missing Authorization check in SAP ERP and S/4 HANA (MENA Certificate Management)

_Description
[CVE-2020-6210] Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad

_Description
Directory traversal in SAP Environment Health and Safety

_Description
[CVE-2020-6208] Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports)

_Description
[CVE-2020-6200] Cross-Site-Scripting in SAP Commerce Cloud (SmartEdit extension)

_Description
[CVE-2020-6201] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud (testweb extension)

_Description
Missing XML Validation vulnerability in ABAP Development Tools

_Description
[CVE-2020-6206] Cross-Site Request Forgery in SAP Cloud Platform Integration for data services

_Description
[CVE-2020-6209] Missing Authorization check in SAP Disclosure Management

_Description
[CVE-2020-6197] Insufficient session expiration in SAP Enable Now Manager

_Description
[CVE-2020-6204] Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)

_Description
[CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)

_Description
[CVE-2020-6190]Information Disclosure in SAP NetWeaver AS Java (Heap Dump Application)

_Description
[CVE-2020-6184 ]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver and SAP S/4HANA

_Description
[CVE-2020-6188] Missing Authorization check in SAP ERP and S/4 HANA (VAT Pro-Rata reports)

_Description
[CVE-2020-6183] Unprivileged Access to technical data using SAPOSCOL of SAP Host Agent

_Description
Missing authorization check in IS-B-BCA-AM

_Description
[CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent

_Description
Missing Authorization Check in SAP Mobile Platform Native SDK, Android

_Description
[CVE-2020-6189] Information Disclosure in SAP BusinessObjects BI Central Management Console

_Description
[CVE-2020-6192] Missing Input Validation in SAP Landscape Management

_Description
Update 1 to Security Note 2736825 - [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server

_Description
[CVE-2020-6187]Missing XML Validation vulnerability in SAP NetWeaver(Guided Procedures)

_Description
[CVE-2020-6181] HTTP Response Splitting vulnerability in SAP NetWeaver and ABAP Platform

_Description
[CVE-2020-6191] Missing Input Validation in SAP Landscape Management

_Description
[CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)

_Description
[CVE-2020-6177] Missing XML Validation vulnerability in SAP Mobile Platform

_Description
Security updates for the browser control Google Chromium delivered with SAP Business Client

_Description
Missing Authorization check in SAP NetWeaver (ABAP Server)

_Description
[CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server

_Description
Missing authorization check in Dangerous Goods Management of EHS Services in SCM

_Description
[CVE-2020-6306] Missing Authorization check in SAP Leasing

_Description
Switchable Authorization checks for RFC in SAP Leasing

_Description
[CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler

_Description
Whitelist service for Clickjacking Framing Protection in AS ABAP

_Description
Missing authorization check in Transaction Manager

_Description
Missing Authorization check in Realtech RTCISM 100

_Description
[CVE-2020-6303] Improper input validation in SAP Disclosure Management

_Description
[CVE-2020-6305] Cross-Site Scripting (XSS) vulnerability in Rest Adapter of SAP Process Integration

_Description
[CVE-2020-6307] Missing Authorization Check in Automated Note Search Tool (SAP_BASIS)

_Description
[CVE-2020-6304] Denial of service (DOS) in SAP NetWeaver Internet Communication Manager

_Description
Multiple security vulnerabilities in SAP EAM, add-on for MRO 4.0 by HCL for SAP S/4HANA 1809

_Description
[CVE-2019-0402] Information Disclosure in SAP Adaptive Server Enterprise

_Description
[CVE-2019-0395] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad)

_Description
Missing Authorization Check in S/4Hana ACR Brazil Option Features

_Description
Information Disclosure in PI Axis Adapter

_Description
[CVE-2019-0405] Multiple Security vulnerabilities in SAP Enable Now release 1911

_Description
Upgrade SSL support to TLSv1.2

_Description
[CVE-2019-0398] Cross-Site Request Forgery (CSRF) vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring application)

_Description
Missing Authorization Check in SAP Cash Management

_Description
[CVE-2019-0399] Potential Information Disclosure in SAP Portfolio and Project Management

_Description
[CVE-2019-0386] - Missing authorization check in ERP Sales and SAP S/4HANA sales (SD-SLS)

_Description
[CVE-2019-0391] Information Disclosure in SAP NetWeaver Application Server Java (eCATT service)

_Description
[CVE-2019-0383] Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)

_Description
[CVE-2019-0390] Information Disclosure in SAP Data Hub

_Description
Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent

_Description
VMC Authority Check

_Description
[CVE-2019-0396] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)

_Description
[CVE-2019-0389] Privilege escalation in SAP NetWeaver Application Server Java

_Description
[CVE-2019-0393] SQL injection vulnerability in SAP Quality Management

_Description
[CVE-2019-0382] XSS vulnerabilty in SAP Business Objects BI Platform (Web Intelligence)

_Description
[CVE-2019-0384] Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)

_Description
[CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now

_Description
Detailed error messages with stack trace in Web Dynpro