CVSS: 10.0EPSS: 1%CPEs: 6EXPL: 1CVE-2020-26829 – SAP Netweaver JAVA 7.50 Missing Authorization
https://notcve.org/view.php?id=CVE-2020-26829
09 Dec 2020 — SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system... • https://packetstorm.news/files/id/163166 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2020-26816
https://notcve.org/view.php?id=CVE-2020-26816
09 Dec 2020 — SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed ... • https://launchpad.support.sap.com/#/notes/2971163 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-6317
https://notcve.org/view.php?id=CVE-2020-6317
30 Nov 2020 — In certain situations, an attacker with regular user credentials and local access to an ASE cockpit installation can access sensitive information which appears in the installation log files. This information although sensitive is of limited utility and cannot be used to further access, modify or render unavailable any other information in the cockpit or system. This affects SAP Adaptive Server Enterprise, Versions - 15.7, 16.0. En determinadas situaciones, un atacante con credenciales de usuario normales y ... • https://launchpad.support.sap.com/#/notes/2953203 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-26825
https://notcve.org/view.php?id=CVE-2020-26825
13 Nov 2020 — SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. Information maintained in the victim's web browser can be read, modified, and sent to the attacker. The malicious code cannot significantly impact the victi... • https://launchpad.support.sap.com/#/notes/2984627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26807
https://notcve.org/view.php?id=CVE-2020-26807
10 Nov 2020 — SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder. SAP ERP Client para E-Bilanz, versión - 1.0, la instalación establece permisos del sistema de archivos predeterminados Incorrectos que están configurados en su carpeta de instalación, lo que permite que cualquiera pueda modificar los archivos en la carpeta • https://launchpad.support.sap.com/#/notes/2971112 • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-26810
https://notcve.org/view.php?id=CVE-2020-26810
10 Nov 2020 — SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request can render the SAP Commerce service itself unavailable leading to Denial of Service with no impact on confidentiality or integrity. SAP Commerce Cloud (Accelerator Payment Mock), versiones: 1808, 1811, 1905, 2005, permite a un atacante no ... • https://launchpad.support.sap.com/#/notes/2975170 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26823
https://notcve.org/view.php?id=CVE-2020-26823
10 Nov 2020 — SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Diagnostics Agent Connection Service, this has an impact to the integrity and availability of the service. SAP Solution Manager (JAVA stack), versión - 7.20, permite a un atacante no autenticado comprometer el sistema debido a una falta de comprobación de autorización en Upgrade Diagnostics Agent Connection Service, esto presenta un impacto en ... • https://launchpad.support.sap.com/#/notes/2985866 • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26821
https://notcve.org/view.php?id=CVE-2020-26821
10 Nov 2020 — SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. SAP Solution Manager (JAVA stack), versión - 7.20, permite a un atacante no autenticado comprometer el sistema debido a una falta de comprobación de autorización en SVG Converter Service, esto presenta un impacto en la integridad y disponibilidad del servicio • https://launchpad.support.sap.com/#/notes/2985866 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2020-26818
https://notcve.org/view.php?id=CVE-2020-26818
10 Nov 2020 — SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure. SAP NetWeaver AS ABAP (Web Dynpro), versiones: 731, 740, 750, 751, 752, 753, 754, 755, 782, permite a un usuario autenticado acceder a los componentes de Web Dynpro, lo que revela in... • https://launchpad.support.sap.com/#/notes/2971954 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26824
https://notcve.org/view.php?id=CVE-2020-26824
10 Nov 2020 — SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Legacy Ports Service, this has an impact to the integrity and availability of the service. SAP Solution Manager (JAVA stack), versión - 7.20, permite a un atacante no autenticado comprometer el sistema debido a una falta de comprobación de autorización en Upgrade Legacy Ports Service, esto presenta un impacto en la integridad y disponibilidad d... • https://launchpad.support.sap.com/#/notes/2985866 • CWE-306: Missing Authentication for Critical Function •