Seven high-risk issues, one criticalHowever, the most important flaw in the list is a cross-site scripting (XSS) issue in the Knowledge Management component of NetWeaver AS, which received the identification number CVE-2020-6284 and has a critical severity score of 9/10. The same component received a fix for allowing unrestricted file upload (CVE-2020-6293). A missing authentication check has been fixed in SAP’s business intelligence platform BusinessObjects. Tracked as CVE-2020-6294, the bug has a high-severity rating of 8.5 and affects versions 4.2 and 4.3. In SAP Business Services (Generic Market Data), the developer addressed an issue now known as CVE-2020-6298 and with a slightly lower score, 8.3, referring to missing authorization. Several versions of NetWeaver (ABAP Server) and ABAP Platform have a code injection vulnerability (CVE-2020-6296) rated with a severity impact of 8.3.
SAP provides patches for another missing authentication check (CVE-2020-6309) discovered in various components of NetWeaver AS Java (EngineAPI, WSRM, ServerCore, and J2EE-FRMW).Last on the list of more noteworthy updates is an information disclosure (CVE-2020-6295) in SAP Adaptive Server Enterprise version 16.0, with a calculated severity score of 7. Details for these bugs are still under wraps but SAP customers can learn the particularities by logging into their SAP ONE support launchpad account. A summary of all the vulnerabilities addressed in today’s security updates from SAP is available here.