cvelistv5 - cve-2020-6289

CVE-2020-6289 (GCVE-0-2020-6289)

Vulnerability from cvelistv5 – Published: 2020-07-14 12:30 – Updated: 2024-08-04 08:55

Summary

SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

Cross-Site Request Forgery

Assigner

sap

References

URL

Tags

	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/2758000	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP Disclosure Management	Affected: < 1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:55:22.240Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/2758000"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP Disclosure Management",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-Site Request Forgery",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-14T12:30:14",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/2758000"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2020-6289",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP Disclosure Management",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "4.3",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-Site Request Forgery"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/2758000",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/2758000"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2020-6289",
    "datePublished": "2020-07-14T12:30:14",
    "dateReserved": "2020-01-08T00:00:00",
    "dateUpdated": "2024-08-04T08:55:22.240Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"53067DD8-3718-46AE-AA69-2065C07F5EEF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.\"}, {\"lang\": \"es\", \"value\": \"SAP Disclosure Management, versi\\u00f3n 10.1, presentaba una protecci\\u00f3n insuficiente contra ataques de tipo Cross-Site Request Forgery, que podr\\u00eda ser usada para enga\\u00f1ar a un usuario para navegar en sitios maliciosos\"}]",
      "id": "CVE-2020-6289",
      "lastModified": "2024-11-21T05:35:26.723",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV30\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-07-14T13:15:13.093",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/2758000\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2758000\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-6289\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2020-07-14T13:15:13.093\",\"lastModified\":\"2024-11-21T05:35:26.723\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.\"},{\"lang\":\"es\",\"value\":\"SAP Disclosure Management, versi\u00f3n 10.1, presentaba una protecci\u00f3n insuficiente contra ataques de tipo Cross-Site Request Forgery, que podr\u00eda ser usada para enga\u00f1ar a un usuario para navegar en sitios maliciosos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"53067DD8-3718-46AE-AA69-2065C07F5EEF\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/2758000\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/2758000\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2020-AVI-432

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans SAP . Certaines d'entre elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP NetWeaver (XML Toolkit for JAVA) ENGINEAPI versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP Business Objects Business Intelligence Platform (BI Launchpad, bipodata, CMC, Web Intelligence HTML Interface) versions 4.1, 4.2
SAP	N/A	SAP Business Client version 6.5
SAP	N/A	SAP Disclosure Management, version 1.0
SAP	N/A	SAP NetWeaver (ABAP Server) et plate-formes ABAP versions 731, 740, 750
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, 7.50
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

References

Title

Publication Time

Tags

Bulletin de sécurité SAP du 14 juillet 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP NetWeaver (XML Toolkit for JAVA) ENGINEAPI versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Objects Business Intelligence Platform (BI Launchpad, bipodata, CMC, Web Intelligence HTML Interface) versions 4.1, 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Client version 6.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Disclosure Management, version 1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver (ABAP Server) et plate-formes ABAP versions 731, 740, 750",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-6282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6282"
    },
    {
      "name": "CVE-2020-6280",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6280"
    },
    {
      "name": "CVE-2020-6222",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6222"
    },
    {
      "name": "CVE-2020-6286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6286"
    },
    {
      "name": "CVE-2020-6276",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6276"
    },
    {
      "name": "CVE-2020-6289",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6289"
    },
    {
      "name": "CVE-2020-6292",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6292"
    },
    {
      "name": "CVE-2020-6281",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6281"
    },
    {
      "name": "CVE-2020-6290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6290"
    },
    {
      "name": "CVE-2020-6287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6287"
    },
    {
      "name": "CVE-2020-6285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6285"
    },
    {
      "name": "CVE-2020-6291",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6291"
    },
    {
      "name": "CVE-2020-6278",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6278"
    },
    {
      "name": "CVE-2020-6267",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6267"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-432",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SAP . Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer un contournement de\nla politique de s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP du 14 juillet 2020",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
    }
  ]
}

CERTFR-2020-AVI-432

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP NetWeaver (XML Toolkit for JAVA) ENGINEAPI versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP Business Objects Business Intelligence Platform (BI Launchpad, bipodata, CMC, Web Intelligence HTML Interface) versions 4.1, 4.2
SAP	N/A	SAP Business Client version 6.5
SAP	N/A	SAP Disclosure Management, version 1.0
SAP	N/A	SAP NetWeaver (ABAP Server) et plate-formes ABAP versions 731, 740, 750
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, 7.50
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

References

Title

Publication Time

Tags

Bulletin de sécurité SAP du 14 juillet 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP NetWeaver (XML Toolkit for JAVA) ENGINEAPI versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Objects Business Intelligence Platform (BI Launchpad, bipodata, CMC, Web Intelligence HTML Interface) versions 4.1, 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Client version 6.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Disclosure Management, version 1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver (ABAP Server) et plate-formes ABAP versions 731, 740, 750",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-6282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6282"
    },
    {
      "name": "CVE-2020-6280",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6280"
    },
    {
      "name": "CVE-2020-6222",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6222"
    },
    {
      "name": "CVE-2020-6286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6286"
    },
    {
      "name": "CVE-2020-6276",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6276"
    },
    {
      "name": "CVE-2020-6289",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6289"
    },
    {
      "name": "CVE-2020-6292",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6292"
    },
    {
      "name": "CVE-2020-6281",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6281"
    },
    {
      "name": "CVE-2020-6290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6290"
    },
    {
      "name": "CVE-2020-6287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6287"
    },
    {
      "name": "CVE-2020-6285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6285"
    },
    {
      "name": "CVE-2020-6291",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6291"
    },
    {
      "name": "CVE-2020-6278",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6278"
    },
    {
      "name": "CVE-2020-6267",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6267"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-432",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SAP . Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer un contournement de\nla politique de s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP du 14 juillet 2020",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
    }
  ]
}

FKIE_CVE-2020-6289

Vulnerability from fkie_nvd - Published: 2020-07-14 13:15 - Updated: 2024-11-21 05:35

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/2758000	Permissions Required, Vendor Advisory
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/2758000	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675	Vendor Advisory

Impacted products

	Vendor	Product	Version
	sap	disclosure_management	10.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "53067DD8-3718-46AE-AA69-2065C07F5EEF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site."
    },
    {
      "lang": "es",
      "value": "SAP Disclosure Management, versi\u00f3n 10.1, presentaba una protecci\u00f3n insuficiente contra ataques de tipo Cross-Site Request Forgery, que podr\u00eda ser usada para enga\u00f1ar a un usuario para navegar en sitios maliciosos"
    }
  ],
  "id": "CVE-2020-6289",
  "lastModified": "2024-11-21T05:35:26.723",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-14T13:15:13.093",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2758000"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2758000"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-44621

Vulnerability from cnvd - Published: 2020-07-31

Title

SAP Disclosure Management跨站请求伪造漏洞

Description

SAP Disclosure Management是德国思爱普（SAP）公司的一套自动化财务披露管理系统。该系统提供跨团队、跨地域、跨系统和跨数据源的协作式财务披露流程。 SAP Disclosure Management 10.1版本中存在跨站请求伪造漏洞，该漏洞源于程序未对跨站请求伪造攻击进行充分的保护。攻击者可利用该漏洞执行恶意操作。

Severity

中

Patch Name

SAP Disclosure Management跨站请求伪造漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-6289

Impacted products

Name
SAP SAP Disclosure Management 10.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-6289",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-6289"
    }
  },
  "description": "SAP Disclosure Management\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u8d22\u52a1\u62ab\u9732\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u63d0\u4f9b\u8de8\u56e2\u961f\u3001\u8de8\u5730\u57df\u3001\u8de8\u7cfb\u7edf\u548c\u8de8\u6570\u636e\u6e90\u7684\u534f\u4f5c\u5f0f\u8d22\u52a1\u62ab\u9732\u6d41\u7a0b\u3002\n\nSAP Disclosure Management 10.1\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u8fdb\u884c\u5145\u5206\u7684\u4fdd\u62a4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u6076\u610f\u64cd\u4f5c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-44621",
  "openTime": "2020-07-31",
  "patchDescription": "SAP Disclosure Management\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u8d22\u52a1\u62ab\u9732\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u63d0\u4f9b\u8de8\u56e2\u961f\u3001\u8de8\u5730\u57df\u3001\u8de8\u7cfb\u7edf\u548c\u8de8\u6570\u636e\u6e90\u7684\u534f\u4f5c\u5f0f\u8d22\u52a1\u62ab\u9732\u6d41\u7a0b\u3002\r\n\r\nSAP Disclosure Management 10.1\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u8fdb\u884c\u5145\u5206\u7684\u4fdd\u62a4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u6076\u610f\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Disclosure Management\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SAP SAP Disclosure Management 10.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-6289",
  "serverity": "\u4e2d",
  "submitTime": "2020-07-30",
  "title": "SAP Disclosure Management\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

GSD-2020-6289

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.

Aliases

CVE-2020-6289

Aliases

CVE-2020-6289

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-6289",
    "description": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.",
    "id": "GSD-2020-6289"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-6289"
      ],
      "details": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.",
      "id": "GSD-2020-6289",
      "modified": "2023-12-13T01:21:54.549767Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2020-6289",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP Disclosure Management",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "1.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "4.3",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-Site Request Forgery"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/2758000",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/2758000"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2020-6289"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/2758000",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2758000"
            },
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-07-15T18:06Z",
      "publishedDate": "2020-07-14T13:15Z"
    }
  }
}

GHSA-5WX7-4G7M-P3V7

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22

Details

SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-6289"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-14T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.",
  "id": "GHSA-5wx7-4g7m-p3v7",
  "modified": "2022-05-24T17:22:53Z",
  "published": "2022-05-24T17:22:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6289"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2758000"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-6289 (GCVE-0-2020-6289)

CERTFR-2020-AVI-432

Solution

CERTFR-2020-AVI-432

Solution

FKIE_CVE-2020-6289

CNVD-2020-44621

GSD-2020-6289

GHSA-5WX7-4G7M-P3V7

Tags

Sightings

Nomenclature