Connect with us

Hi, what are you looking for?


Critical Access Control Vulnerability Patched in SAP Marketing


SAP this week introduced the discharge of 10 new Safety Notes as a part of its September 2020 Safety Patch Day, in addition to updates for six earlier Safety Notes.

Two of the Safety Notes are rated Sizzling Information and deal with crucial flaws in SAP Advertising and marketing – Cell Channel Servlet (CVE-2020-6320 – improper entry management) and NetWeaver (ABAP Server) and ABAP Platform (CVE-2020-6318 – code injection), which characteristic CVSS scores of 9.6 and 9.1, respectively.

Cell Channel Servlet permits cellular campaigns through which push notifications are despatched to Android and iOS units through Google Firebase. The crucial flaw addressed this week permits an authenticated attacker to entry restricted capabilities.

“An exploit of the vulnerability permits an attacker to carry out duties associated to contact and interplay information,” Onapsis, a agency that focuses on securing Oracle and SAP purposes, explains.

The code injection flaw in NetWeaver would enable an attacker to take full management of the appliance. Thus, the attacker may view, change, or delete information by means of code injected in reminiscence and executed by the appliance, or may trigger the appliance to terminate.

Moreover, SAP up to date two different Sizzling Information Safety Notes, one addressing a lacking authorization verify in Resolution Supervisor (CVE-2020-6207, CVSS rating of 10), and one other that offers with safety updates for the Chromium browser in Enterprise Shopper (CVSS rating of 9.8).

Two different up to date Safety Notes cope with high-severity vulnerabilities, particularly a code injection in NetWeaver (ABAP) and ABAP Platform (CVE-2020-6296), and a server-side request forgery in NetWeaver AS ABAP (CVE-2020-6275).

“Three of the six HotNews and Excessive Precedence notes solely comprise roughly negligible replace data that doesn’t require buyer motion (in comparison with the preliminary/earlier model of the notes). The 2 HotNews notes #2961991 and #2958563 solely have an effect on a small variety of SAP prospects (SAP Advertising and marketing, SAP NetWeaver AS ABAP on DB4 or Sybase). That offers sufficient time to verify the standing of all related safety patches in your SAP methods,” Onapsis notes.

5 Safety Notes launched this week deal with medium-risk vulnerabilities in Financial institution Analyzer and S/4HANA Monetary Merchandise (CVE-2020-6311), Commerce (CVE-2020-6302), NetWeaver AS ABAP (CVE-2020-6324), NetWeaver AS Java (CVE-2020-6326), and Fiori (Launchpad) (CVE-2020-6283).

Two different medium-priority Safety Notes deal with a number of vulnerabilities in BusinessObjects Enterprise Intelligence Platform (CVE-2020-6325, CVE-2020-6312, and CVE-2020-6288) and 3D Visible Enterprise Viewer (38 CVEs).

This week, SAP launched updates for 2 medium-priority bugs: one addressing cross-site scripting (XSS) vulnerabilities within the modified jQuery bundled with SAPUI5 (CVE-2020-11022, CVE-2020-11023) and one other patching a server-side request forgery in NetWeaver AS JAVA (CVE-2020-6282).

SAP additionally introduced a low-priority Safety Notice that patches an data disclosure vulnerability in Adaptive Server Enterprise (CVE-2020-6317).

Associated: SAP Releases August 2020 Safety Updates

Associated: SAP Releases 10 Safety Notes on July 2020 Patch Day

Associated: Essential Vulnerability Patched in SAP Commerce

Critical Access Control Vulnerability Patched in SAP Marketing
Critical Access Control Vulnerability Patched in SAP Marketing
Critical Access Control Vulnerability Patched in SAP Marketing

Ionut Arghire is a global correspondent for SecurityWeek.

Earlier Columns by Ionut Arghire:
Critical Access Control Vulnerability Patched in SAP MarketingTags:

You May Also Like


Introduction In previous articles we have talked about images of dockers, the origin and functioning of dockers and the dockers’ hub. In this document...


Linux desktops are good in many ways, but like Windows they are not known as the most efficient battery. This does not mean that...


The United States Supreme Court has indicated that it will finally solve a problem that has been causing legal problems for almost two decades:...


To secure your AWS assets, follow these AWS Identity and Access Management (IAM) guidelines. Locking the Root User Access Key for AWSAccount You use...