CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2020-26816
https://notcve.org/view.php?id=CVE-2020-26816
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems. SAP AS JAVA (Key Storage Service), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, posee el material de claves que es almacenado en el servicio SAP NetWeaver AS Java Key Storage almacenado en la base de datos en el formato codificado DER. y no está cifrado. Esto permite a un atacante que tiene acceso de administrador a SAP NetWeaver AS Java decodificar las claves debido a la falta de cifrado y obtener algunos datos de la aplicación y las credenciales de cliente de los sistemas adyacentes. • https://launchpad.support.sap.com/#/notes/2971163 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2020-26818
https://notcve.org/view.php?id=CVE-2020-26818
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure. SAP NetWeaver AS ABAP (Web Dynpro), versiones: 731, 740, 750, 751, 752, 753, 754, 755, 782, permite a un usuario autenticado acceder a los componentes de Web Dynpro, lo que revela información confidencial del sistema que podría de otro modo estar restringido a usuarios altamente privilegiados debido a una falta de autorización, resultando en una Divulgación de Información • https://launchpad.support.sap.com/#/notes/2971954 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2020-26820
https://notcve.org/view.php?id=CVE-2020-26820
SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it. SAP NetWeaver AS JAVA, versiones - 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante que es autenticado como administrador usar la consola de administrador, exponer el acceso no autenticado al sistema de archivos y cargar un archivo malicioso. El atacante u otro usuario pueden usar un mecanismo separado para ejecutar los comandos del Sistema Operativo por medio del archivo cargado conllevando a una Escalada de Privilegios y comprometer completamente la confidencialidad, integridad y disponibilidad del sistema operativo del servidor y cualquier aplicación que se ejecute en él • http://packetstormsecurity.com/files/162086/SAP-Java-OS-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2021/Apr/7 https://launchpad.support.sap.com/#/notes/2979062 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2020-26819
https://notcve.org/view.php?id=CVE-2020-26819
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control. SAP NetWeaver AS ABAP (Web Dynpro), versiones - 731, 740, 750, 751, 752, 753, 754, 755, 782, permite a un usuario autenticado acceder a los componentes de Web Dynpro, lo que luego permite leer y eliminar archivos de registro de la base de datos debido a un Control de Acceso Inapropiado • https://launchpad.support.sap.com/#/notes/2971954 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 •
CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-6370
https://notcve.org/view.php?id=CVE-2020-6370
SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Design Time Repository (DTR), versiones - 7.11, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de tipo Cross-Site Scripting (XSS) • https://launchpad.support.sap.com/#/notes/2939419 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •