Multiple vulnerabilities in SAP Disclosure Management



Published: 2020-07-14
Risk Medium
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2020-6267
CVE-2020-6289
CVE-2020-6290
CVE-2020-6291
CVE-2020-6292
CWE-ID CWE-264
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Vulnerable software
Subscribe
SAP Disclosure Management
Web applications / Remote management & hosting panels

Vendor SAP

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29718

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-6267

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29719

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-6289

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29720

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-6290

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29721

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-6291

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29722

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-6292

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management.  A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###