CVE-2020-6275
https://notcve.org/view.php?id=CVE-2020-6275
SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database. SAP Netweaver AS ABAP, versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, son vulnerables a un ataque de tipo Server Side Request Forgery, donde un atacante puede usar nombres de ruta inapropiados que contienen nombres de servidores maliciosos en la funcionalidad de importación/exportación de sesiones y obligan al servidor web a autenticarse con el servidor malicioso. Adicionalmente, si NTLM está configurado, el atacante puede comprometer la confidencialidad, integridad y disponibilidad de la base de datos de SAP • https://launchpad.support.sap.com/#/notes/2912939 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2020-6270
https://notcve.org/view.php?id=CVE-2020-6270
SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices. SAP NetWeaver AS ABAP (Banking Services), versiones: 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, no realiza las comprobaciones de autorización necesarias para un usuario autenticado debido a la Falta de Comprobación de Autorización, permitiendo un cambio incorrecto e inesperado de condiciones individuales por un usuario malicioso conllevando a precios incorrectos • https://launchpad.support.sap.com/#/notes/2916562 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 • CWE-862: Missing Authorization •
CVE-2020-6240
https://notcve.org/view.php?id=CVE-2020-6240
SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service SAP NetWeaver AS ABAP (Web Dynpro ABAP), versiones (SAP_UI 750, 752, 753, 754 y SAP_BASIS 700, 710, 730, 731, 804), permite a un atacante no autenticado impedir a usuarios legítimos el acceso a un servicio, ya sea mediante el bloqueo o la inundación del servicio que conlleva a una Denegación de Servicio. • https://launchpad.support.sap.com/#/notes/2856923 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222 •
CVE-2020-6229
https://notcve.org/view.php?id=CVE-2020-6229
SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver AS ABAP (aplicación CRM_BSP_FRAME de Business Server Pages), versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, no codifica suficientemente entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejada. • https://launchpad.support.sap.com/#/notes/2900374 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •