CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 0CVE-2020-6296
https://notcve.org/view.php?id=CVE-2020-6296
12 Aug 2020 — SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application. SAP NetWeaver (ABAP Server) y plataforma ABAP, versiones: 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, permiten a un atacante inyectar código que puede ser ejecutado por la aplicación conllevando a una Inyecció... • https://launchpad.support.sap.com/#/notes/2941667 •
CVSS: 4.0EPSS: 0%CPEs: 6EXPL: 0CVE-2020-6280
https://notcve.org/view.php?id=CVE-2020-6280
14 Jul 2020 — SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure. SAP NetWeaver (ABAP Server) y ABAP Platform, versiones 731, 740, 750, permiten a un atacante con privilegios de administrador acceder a determinados archivos que de otro modo deberían estar restringidos, conllevando a una Divulgación de Información • https://launchpad.support.sap.com/#/notes/2927373 •
CVSS: 5.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6282
https://notcve.org/view.php?id=CVE-2020-6282
14 Jul 2020 — SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. SAP NetWeaver AS JAVA (servici... • https://launchpad.support.sap.com/#/notes/2896025 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2020-6286
https://notcve.org/view.php?id=CVE-2020-6286
14 Jul 2020 — The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal. La comprobación insuficiente de la ruta de entrada de determinados parámetros en el servicio web de SAP NetWeaver AS JAVA (LM Configuration Wizard), versiones 7.30, 7.31, 7.40, 7.50, permite a un atacante no autentica... • https://github.com/murataydemir/CVE-2020-6286 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 97%CPEs: 4EXPL: 8CVE-2020-6287 – SAP NetWeaver Missing Authentication for Critical Function Vulnerability
https://notcve.org/view.php?id=CVE-2020-6287
14 Jul 2020 — SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. SAP NetWeaver AS JAVA (LM Configuration Wizard), versiones 7.3... • https://packetstorm.news/files/id/180810 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2020-6263
https://notcve.org/view.php?id=CVE-2020-6263
10 Jun 2020 — Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass. Los clientes dedicados que se conectan a SAP NetWeaver AS Java por medio del protocolo P4, versiones (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.... • https://launchpad.support.sap.com/#/notes/2878568 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2020-6275
https://notcve.org/view.php?id=CVE-2020-6275
10 Jun 2020 — SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database. SAP Netweaver AS ABAP, version... • https://launchpad.support.sap.com/#/notes/2912939 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 0CVE-2020-6270
https://notcve.org/view.php?id=CVE-2020-6270
10 Jun 2020 — SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices. SAP NetWeaver AS ABAP (Banking Services), versiones: 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, no realiza las comprobaciones de autorización necesarias para un usuario autent... • https://launchpad.support.sap.com/#/notes/2916562 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-6240
https://notcve.org/view.php?id=CVE-2020-6240
12 May 2020 — SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service SAP NetWeaver AS ABAP (Web Dynpro ABAP), versiones (SAP_UI 750, 752, 753, 754 y SAP_BASIS 700, 710, 730, 731, 804), permite a un atacante no autenticado impedir a usuarios legítimos el acceso a un servicio, ya sea mediante el bloqueo o... • https://launchpad.support.sap.com/#/notes/2856923 •
CVSS: 6.2EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6224
https://notcve.org/view.php?id=CVE-2020-6224
14 Apr 2020 — SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure. SAP NetWeaver AS Java (HTTP Service), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante con privilegios de administrador acceder a datos confidenciales del usuario, tales como contraseñas... • https://launchpad.support.sap.com/#/notes/2826528 • CWE-532: Insertion of Sensitive Information into Log File •