Monthly Archive: August 2020

Eaton’s Secure connect mobile app v1.7.3 & prior stores the user login credentials in logcat file when user create or register the account on the Mobile app. A malicious app or unauthorized user can...

Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions – 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to...

SAP NetWeaver AS JAVA, versions – (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send...

SAP ERP (HCM Travel Management), versions – 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to read, modify and settle trips, resulting in escalation of privileges, due to...

SAP Business Objects Business Intelligence Platform (Central Management Console), versions- 4.2, 4.3, allows an attacker with administrator rights can use the web application to send malicious code to a different end user (victim), as...

SAP NetWeaver (ABAP Server) and ABAP Platform, versions – 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading...

SAP Banking Services (Generic Market Data), versions – 400, 450, 500, allows an unauthorized user to display protected Business Partner Generic Market Data (GMD) and change related GMD key figure values, due to Missing...

Under certain conditions the upgrade of SAP Data Hub 2.7 to SAP Data Intelligence, version – 3.0, allows an attacker to access confidential system configuration information, that should otherwise be restricted, leading to Information...

SAP NetWeaver (ABAP Server) and ABAP Platform, versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application,...

Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit....

Xvfb of SAP Business Objects Business Intelligence Platform, versions – 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity. Date published : 2020-08-12 https://launchpad.support.sap.com/#/notes/2927956 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345

SAP NetWeaver (Knowledge Management), versions – 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited...

SAP NetWeaver (Knowledge Management), versions – 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user’s privileges. If the accessing user...

SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to...