Show vulnerabilities with patch / with exploit

Multiple vulnerabilities in SAP Disclosure Management



Published: 2020-07-14
Severity Medium
Patch available YES
Number of vulnerabilities 5
CVE ID CVE-2020-6267
CVE-2020-6289
CVE-2020-6290
CVE-2020-6291
CVE-2020-6292
CWE ID CWE-264
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Vulnerable software
Subscribe
SAP Disclosure Management
Web applications / Remote management & hosting panels

Vendor SAP

Security Advisory

1) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-6267

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE External links

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-6289

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE External links

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-6290

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE External links

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-6291

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE External links

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-6292

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE External links

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



ImmuniWeb® AI Platform for Application Security Testing