CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-6370
https://notcve.org/view.php?id=CVE-2020-6370
20 Oct 2020 — SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Design Time Repository (DTR), versiones - 7.11, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de tipo Cross-Site Scripting (XSS) • https://launchpad.support.sap.com/#/notes/2939419 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2020-6367
https://notcve.org/view.php?id=CVE-2020-6367
20 Oct 2020 — There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end users browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified. Se presenta una vulnerabilidad de tipo cross site scripting reflejado en SAP NetWeaver Co... • https://launchpad.support.sap.com/#/notes/2972661 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6362
https://notcve.org/view.php?id=CVE-2020-6362
20 Oct 2020 — SAP Banking Services version 500, use an incorrect authorization object in some of its reports. Although the affected reports are protected with otherauthorization objects, exploitation of the vulnerability could lead to privilege escalation and violation in segregation of duties, which in turn could lead to Service interruptions and system unavailability for the victim and users of the component. SAP Banking Services versión 500, usa un objeto de autorización incorrecto en algunos de sus reportes. Aun... • https://launchpad.support.sap.com/#/notes/2953212 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 4CVE-2020-6308
https://notcve.org/view.php?id=CVE-2020-6308
20 Oct 2020 — SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perfor... • https://github.com/InitRoot/CVE-2020-6308-PoC • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-6369 – SAP Wily Introscope Enterprise Default Hard-Coded Credentials
https://notcve.org/view.php?id=CVE-2020-6369
20 Oct 2020 — SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service. SAP Solution Manager y SAP Focused Run (actualización provista en WILY_INTRO_ENTERPRISE versiones 9.7, 10.1, 10.5, 10.7), permite a atacantes no autenticados omitir la autenticación si el administrado... • http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html •
CVSS: 7.6EPSS: 0%CPEs: 5EXPL: 0CVE-2020-6366
https://notcve.org/view.php?id=CVE-2020-6366
20 Oct 2020 — SAP NetWeaver (Compare Systems) versions - 7.20, 7.30, 7.40, 7.50, does not sufficiently validate uploaded XML documents. An attacker with administrative privileges can retrieve arbitrary files including files on OS level from the server and/or can execute a denial-of-service. SAP NetWeaver (Compare Systems): versiones 7.20, 7.30, 7.40, 7.50, no comprueban suficientemente los documentos XML cargados. Un atacante con privilegios administrativos puede recuperar archivos arbitrarios, incluyendo archivos a... • https://launchpad.support.sap.com/#/notes/2969457 • CWE-20: Improper Input Validation •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6315 – SAP 3D Visual Enterprise Viewer SVG File XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-6315
19 Oct 2020 — SAP 3D Visual Enterprise Viewer, version 9, allows an attacker to send certain manipulated file to the victim, which can lead to leakage of sensitive information when the victim loads the malicious file into the VE viewer, leading to Information Disclosure. SAP 3D Visual Enterprise Viewer, versión 9, permite que un atacante envíe determinado archivo manipulado a la víctima, lo que puede conllevar a un filtrado de información confidencial cuando la víctima carga el archivo malicioso en el visualizador VE, lo... • https://launchpad.support.sap.com/#/notes/2973497 •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6365
https://notcve.org/view.php?id=CVE-2020-6365
15 Oct 2020 — SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victim or to redirect users to untrusted web pages containing malware or similar malicious exploits. SAP NetWeaver AS Java, versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, la página de inicio permite a un atacant... • https://launchpad.support.sap.com/#/notes/2969828 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6376
https://notcve.org/view.php?id=CVE-2020-6376
15 Oct 2020 — SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated Right Hemisphere Binary (.rh) file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. SAP 3D Visual Enterprise Viewer, versión - 9, permite a un usuario abrir un archivo Right Hemisphere Binary (.rh) manipulado recibido de fuentes no confiables que resulta en el bloqueo de la ap... • https://launchpad.support.sap.com/#/notes/2973497 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6374 – SAP 3D Visual Enterprise Viewer JT File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-6374
15 Oct 2020 — SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated Jupiter Tessallation(.jt) file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. SAP 3D Visual Enterprise Viewer, versión - 9, permite a un usuario abrir un archivo Jupiter Tessallation (.jt) manipulado recibido de fuentes no confiables que resulta en el bloqueo de la aplicació... • https://launchpad.support.sap.com/#/notes/2973497 • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •