CVE-2020-6198
https://notcve.org/view.php?id=CVE-2020-6198
SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker to control all remote functions on the Agent due to Missing Authentication Check. SAP Solution Manager (Diagnostics Agent), versión 720, permite conexiones no cifradas de fuentes no autenticadas. Esto permite a un atacante controlar todas las funciones remotas en el Agente debido a una Falta de Comprobación de Autenticación. • https://launchpad.support.sap.com/#/notes/2845377 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 • CWE-306: Missing Authentication for Critical Function CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2019-0307
https://notcve.org/view.php?id=CVE-2019-0307
Diagnostics Agent in Solution Manager, version 7.2, stores several credentials such as SLD user connection as well as Solman user communication in the SAP Secure Storage file which is not encrypted by default. By decoding these credentials, an attacker with admin privileges could gain access to the entire configuration, but no system sensitive information can be gained. Diagnostics Agent en Solution Manager, versión 7.2, almacena varias credenciales, como la conexión de usuario de SLD y la comunicación de usuario de Solman en el archivo SAP Secure Storage que no está cifrado de forma predeterminada. Al descodificar estas credenciales, un atacante con privilegios de administrador podría obtener acceso a toda la configuración, pero no se puede obtener información confidencial del sistema. • https://launchpad.support.sap.com/#/notes/2772266 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 • CWE-311: Missing Encryption of Sensitive Data •
CVE-2019-0293
https://notcve.org/view.php?id=CVE-2019-0293
Read of RFC destination does not always perform necessary authorization checks, resulting in escalation of privileges to access information on RFC destinations on managed systems and SAP Solution Manager system (ST-PI, before versions 2008_1_700, 2008_1_710, and 740). La lectura del destino de RFC no siempre realiza la comprobación de autorización, dando como resultado una escalada de privilegios para acceder a la información en los destinos en RFC en sistemas administrados y en sistemas SAP Solution Manager ( ST-PI, versiones anteriores 2008_1_700, 2008_1_710, and 740). • http://www.securityfocus.com/bid/108324 https://launchpad.support.sap.com/#/notes/2756625 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 • CWE-862: Missing Authorization •
CVE-2019-0291
https://notcve.org/view.php?id=CVE-2019-0291
Under certain conditions Solution Manager, version 7.2, allows an attacker to access information which would otherwise be restricted. Bajo ciertas condiciones, Solution Manager, versión 7.2, le permite a un atacante acceder a información que de otra manera sería restringida. • http://www.securityfocus.com/bid/108313 https://launchpad.support.sap.com/#/notes/2748699 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 •
CVE-2018-2405
https://notcve.org/view.php?id=CVE-2018-2405
SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting. En SAP Solution Manager, en versiones 7.10 y 7.20, Incident Management Work Center permite que un atacante suba un script malicioso como adjunto, lo que podría conducir a un posible Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/103703 https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018 https://launchpad.support.sap.com/#/notes/2372688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •