Sap Se Sap Disclosure Management vulnerabilities
14 known vulnerabilities affecting sap_se/sap_disclosure_management.
Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH7MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2020-26828MEDIUMCVSS 6.4fixed in 10.12020-12-09
CVE-2020-26828 [MEDIUM] CWE-434 CVE-2020-26828: SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and
SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data availa
nvd
CVE-2020-6291HIGHCVSS 8.8fixed in 1.02020-07-14
CVE-2020-6291 [HIGH] CWE-613 CVE-2020-6291: SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefo
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
nvd
CVE-2020-6289HIGHCVSS 8.8fixed in 1.02020-07-14
CVE-2020-6289 [HIGH] CWE-352 CVE-2020-6289: SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forg
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
nvd
CVE-2020-6292HIGHCVSS 8.8fixed in 1.02020-07-14
CVE-2020-6292 [HIGH] CWE-613 CVE-2020-6292: Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.
nvd
CVE-2020-6290MEDIUMCVSS 6.3fixed in 1.02020-07-14
CVE-2020-6290 [MEDIUM] CWE-384 CVE-2020-6290: SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attac
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
nvd
CVE-2020-6267MEDIUMCVSS 5.4fixed in 10.12020-07-14
CVE-2020-6267 [MEDIUM] CWE-1004 CVE-2020-6267: Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leadin
Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag.
nvd
CVE-2020-6209HIGHCVSS 7.5fixed in 10.12020-03-10
CVE-2020-6209 [HIGH] CWE-862 CVE-2020-6209: SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an auth
SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an authenticated user, allowing access to administration accounts by a user with no roles, leading to Missing Authorization Check.
nvd
CVE-2020-6303MEDIUMCVSS 5.4fixed in 10.12020-01-14
CVE-2020-6303 [MEDIUM] CWE-79 CVE-2020-6303: SAP Disclosure Management, before version 10.1, does not validate user input properly in specific us
SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting.
nvd
CVE-2019-0258HIGHCVSS 8.8fixed in 10.012019-02-15
CVE-2019-0258 [HIGH] CWE-862 CVE-2019-0258: SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an aut
SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
nvd
CVE-2019-0254MEDIUMCVSS 5.4fixed in 10.1 Stack 13012019-02-15
CVE-2019-0254 [MEDIUM] CWE-79 CVE-2019-0254: SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-control
SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
nvd
CVE-2018-2404CRITICALCVSS 9.8v10.12018-04-10
CVE-2018-2404 [CRITICAL] CWE-434 CVE-2018-2404: SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format vali
SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation.
nvd
CVE-2018-2412HIGHCVSS 8.8v10.12018-04-10
CVE-2018-2412 [HIGH] CWE-862 CVE-2018-2412: SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
nvd
CVE-2018-2413HIGHCVSS 8.8v10.12018-04-10
CVE-2018-2413 [HIGH] CWE-862 CVE-2018-2413: SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
nvd
CVE-2018-2403MEDIUMCVSS 6.5v10.12018-04-10
CVE-2018-2403 [MEDIUM] CVE-2018-2403: Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information wh
Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to.
nvd