Two of the updates have critical bugs in SAP Marketing - Mobile Channel Servlet (CVE-2020-6320 - improper access control) and NetWeaver (ABAP Server) and ABAP Platform (CVE-2020-6318 - code input), which have ratings CVSS 9,6 and 9,1, respectively.
Mobile Channel Servlet allows you to create mobile campaigns Appliances, in which push notifications are sent to devices Android and iOS via Google Firebase. The critical flaw encountered this week allowed an attacker to gain access to limited functions.
"An exploitation of vulnerability allows an attacker to perform tasks related to contact and interaction data," she explains. Onapsis, a company specializing in application security Oracle and SAP.
Defective code entry in NetWeaver could allow an attacker to take full control of the application. Thus, the attacker could view, change, or delete data through code entered into memory and executed by the application, or it could cause the application to terminate.
SAP has fixed two other bugs, one of which allows a missing authorization check in Solution Manager (CVE-2020-6207, CVSS 10 rating) and another that deals with security updates for the Chromium Business Client browser (CVSS score of 9,8).
Two other security updates deal with high serious vulnerabilities, namely code entry in NetWeaver (ABAP) and the ABAP Platform (CVE-2020-6296) and a forgery of server applications in NetWeaver AS ABAP (CVE-2020-6275).
Five security notes released this week face moderate vulnerabilities in Bank Analyzer and S / 4HANA Financial Products (CVE-2020-6311), Commerce (CVE-2020-6302), NetWeaver AS ABAP (CVE-2020-6324), NetWeaver AS Java (CVE-2020-6326) and Fiori (Launchpad) (CVE-2020-6283).
Two other updates, many face vulnerabilities in the BusinessObjects Business Intelligence Platform (CVE-2020-6325, CVE-2020-6312 and CVE-2020-6288) and the 3D Visual Enterprise Viewer (38 CVEs).
This week, SAP also released updates for two errors Moderate: one addresses cross-site scripting (XSS) vulnerabilities in modified jQuery compatible with SAPUI5 (CVE-2020-11022, CVE-2020-11023) and another requires server repair for NetWeaver AS JAVA (CVE- 2020-6282).
SAP also announced a low-security security update that fixes an information leak vulnerability in Adaptive Server Enterprise (CVE-2020-6317).