
Seven high-risk issues, one critical
However, the most important flaw in the list is a cross-site scripting (XSS) issue in the Knowledge Management component of NetWeaver AS, which received the identification number CVE-2020-6284 and has a critical severity score of 9/10. The same component received a fix for allowing unrestricted file upload (CVE-2020-6293).A missing authentication check has been fixed in SAP’s business intelligence platform BusinessObjects. Tracked as CVE-2020-6294, the bug has a high-severity rating of 8.5 and affects versions 4.2 and 4.3.In SAP Business Services (Generic Market Data), the developer addressed an issue now known as CVE-2020-6298 and with a slightly lower score, 8.3, referring to missing authorization.Several versions of NetWeaver (ABAP Server) and ABAP Platform have a code injection vulnerability (CVE-2020-6296) rated with a severity impact of 8.3.SAP provides patches for another missing authentication check (CVE-2020-6309) discovered in various components of NetWeaver AS Java (EngineAPI, WSRM, ServerCore, and J2EE-FRMW).
Last on the list of more noteworthy updates is an information disclosure (CVE-2020-6295) in SAP Adaptive Server Enterprise version 16.0, with a calculated severity score of 7.Details for these bugs are still under wraps but SAP customers can learn the particularities by logging into their SAP ONE support launchpad account.A summary of all the vulnerabilities addressed in today’s security updates from SAP is available here.