diff --git a/2018/6xxx/CVE-2018-6402.json b/2018/6xxx/CVE-2018-6402.json index 69be19075ee..434ebcd9bae 100644 --- a/2018/6xxx/CVE-2018-6402.json +++ b/2018/6xxx/CVE-2018-6402.json @@ -2,7 +2,30 @@ "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-6402", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } }, "data_format": "MITRE", "data_type": "CVE", @@ -11,7 +34,28 @@ "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Ecobee Ecobee4 4.2.0.171 devices can be forced to deauthenticate and connect to an unencrypted Wi-Fi network with the same SSID, even if the device settings specify use of encryption such as WPA2, as long as the competing network has a stronger signal. An attacker must be able to set up a nearby SSID, similar to an \"Evil Twin\" attack." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://garrettmiller.github.io/meross-mss110-vuln/", + "url": "https://garrettmiller.github.io/meross-mss110-vuln/" } ] } diff --git a/2019/14xxx/CVE-2019-14326.json b/2019/14xxx/CVE-2019-14326.json new file mode 100644 index 00000000000..abb8f674631 --- /dev/null +++ b/2019/14xxx/CVE-2019-14326.json @@ -0,0 +1,67 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2019-14326", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/seqred-s-a/cve-2019-14326", + "url": "https://github.com/seqred-s-a/cve-2019-14326" + }, + { + "refsource": "MISC", + "name": "https://seqred.pl/en/cve-privilege-escalation-in-andy/", + "url": "https://seqred.pl/en/cve-privilege-escalation-in-andy/" + } + ] + } +} \ No newline at end of file diff --git a/2019/19xxx/CVE-2019-19913.json b/2019/19xxx/CVE-2019-19913.json index 08865aea38d..fe3d609ee70 100644 --- a/2019/19xxx/CVE-2019-19913.json +++ b/2019/19xxx/CVE-2019-19913.json @@ -56,6 +56,11 @@ "refsource": "MISC", "name": "http://packetstormsecurity.com/files/156951/codeBeamer-9.5-Cross-Site-Scripting.html", "url": "http://packetstormsecurity.com/files/156951/codeBeamer-9.5-Cross-Site-Scripting.html" + }, + { + "refsource": "FULLDISC", + "name": "20200414 Matrix42 Workspace Management 9.1.2.2765 - Reflected Cross-Site Scripting", + "url": "http://seclists.org/fulldisclosure/2020/Apr/9" } ] } diff --git a/2020/6xxx/CVE-2020-6214.json b/2020/6xxx/CVE-2020-6214.json index 552db409ac0..ba003bdadba 100644 --- a/2020/6xxx/CVE-2020-6214.json +++ b/2020/6xxx/CVE-2020-6214.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6214", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP S/4HANA (Financial Products Subledger)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "100" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an authenticated attacker to view, change, or delete data, thereby preventing the proper segregation of duties in the system." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "4.7", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-863" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://launchpad.support.sap.com/#/notes/2897612", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2897612" + }, + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" } ] } diff --git a/2020/6xxx/CVE-2020-6216.json b/2020/6xxx/CVE-2020-6216.json index be2c9111393..31244184b0c 100644 --- a/2020/6xxx/CVE-2020-6216.json +++ b/2020/6xxx/CVE-2020-6216.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6216", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform (BI Launchpad)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "6.1", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross Site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2876059", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2876059" } ] } diff --git a/2020/6xxx/CVE-2020-6218.json b/2020/6xxx/CVE-2020-6218.json index a53992cfc49..9cfabc282dd 100644 --- a/2020/6xxx/CVE-2020-6218.json +++ b/2020/6xxx/CVE-2020-6218.json @@ -4,14 +4,75 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6218", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.1" + }, + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Admin tools and Query Builder in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to access information that should otherwise be restricted, leading to Information Disclosure." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://launchpad.support.sap.com/#/notes/2878507", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2878507" + }, + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" } ] } diff --git a/2020/6xxx/CVE-2020-6219.json b/2020/6xxx/CVE-2020-6219.json index 2a6947a332e..9ecfa6ebf5b 100644 --- a/2020/6xxx/CVE-2020-6219.json +++ b/2020/6xxx/CVE-2020-6219.json @@ -4,14 +4,86 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6219", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.1" + }, + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + }, + { + "product_name": "Crystal Reports for VS", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "2010" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "9.1", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2863731", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2863731" } ] } diff --git a/2020/6xxx/CVE-2020-6221.json b/2020/6xxx/CVE-2020-6221.json index 2bd90430ab2..01ca00e8534 100644 --- a/2020/6xxx/CVE-2020-6221.json +++ b/2020/6xxx/CVE-2020-6221.json @@ -4,14 +4,75 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6221", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP BusinessObjects Business Intelligence Platform", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.1" + }, + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.4", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross Site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://launchpad.support.sap.com/#/notes/2878507", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2878507" + }, + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" } ] } diff --git a/2020/6xxx/CVE-2020-6222.json b/2020/6xxx/CVE-2020-6222.json index 7f68b5da76d..9403d099f5b 100644 --- a/2020/6xxx/CVE-2020-6222.json +++ b/2020/6xxx/CVE-2020-6222.json @@ -4,14 +4,75 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6222", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.1" + }, + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.4", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross Site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2880804", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2880804" } ] } diff --git a/2020/6xxx/CVE-2020-6223.json b/2020/6xxx/CVE-2020-6223.json index 121b4e43254..21b8495145a 100644 --- a/2020/6xxx/CVE-2020-6223.json +++ b/2020/6xxx/CVE-2020-6223.json @@ -4,14 +4,75 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6223", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.1" + }, + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The open document of SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into accessing these error pages rendered by the application, leading to Content Spoofing." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "6.1", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Content Spoofing" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://launchpad.support.sap.com/#/notes/2878507", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2878507" + }, + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" } ] } diff --git a/2020/6xxx/CVE-2020-6224.json b/2020/6xxx/CVE-2020-6224.json index 50330412446..8a3b8a37586 100644 --- a/2020/6xxx/CVE-2020-6224.json +++ b/2020/6xxx/CVE-2020-6224.json @@ -4,14 +4,95 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6224", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP NetWeaver AS Java (HTTP Service)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "7.10" + }, + { + "version_name": "<", + "version_value": "7.11" + }, + { + "version_name": "<", + "version_value": "7.20" + }, + { + "version_name": "<", + "version_value": "7.30" + }, + { + "version_name": "<", + "version_value": "7.31" + }, + { + "version_name": "<", + "version_value": "7.40" + }, + { + "version_name": "<", + "version_value": "7.50" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "6.2", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2826528", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2826528" } ] } diff --git a/2020/6xxx/CVE-2020-6226.json b/2020/6xxx/CVE-2020-6226.json index 5b4da859226..321d45153a0 100644 --- a/2020/6xxx/CVE-2020-6226.json +++ b/2020/6xxx/CVE-2020-6226.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6226", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.4", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross Site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2879132", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2879132" } ] } diff --git a/2020/6xxx/CVE-2020-6227.json b/2020/6xxx/CVE-2020-6227.json index ae517934c34..7db697f0f8a 100644 --- a/2020/6xxx/CVE-2020-6227.json +++ b/2020/6xxx/CVE-2020-6227.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6227", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform (CMS / Auditing issues)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.3", + "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2863396", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2863396" } ] } diff --git a/2020/6xxx/CVE-2020-6228.json b/2020/6xxx/CVE-2020-6228.json index 6ae8dd557b5..df98e346be2 100644 --- a/2020/6xxx/CVE-2020-6228.json +++ b/2020/6xxx/CVE-2020-6228.json @@ -4,14 +4,75 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6228", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Client", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "6.5" + }, + { + "version_name": "<", + "version_value": "7.0" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.3", + "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Other" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2866752", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2866752" } ] } diff --git a/2020/6xxx/CVE-2020-6229.json b/2020/6xxx/CVE-2020-6229.json index 58b55b7ba79..d75188bffa1 100644 --- a/2020/6xxx/CVE-2020-6229.json +++ b/2020/6xxx/CVE-2020-6229.json @@ -4,14 +4,131 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6229", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "700" + }, + { + "version_name": "<", + "version_value": "701" + }, + { + "version_name": "<", + "version_value": "702" + }, + { + "version_name": "<", + "version_value": "710" + }, + { + "version_name": "<", + "version_value": "711" + }, + { + "version_name": "<", + "version_value": "730" + }, + { + "version_name": "<", + "version_value": "731" + }, + { + "version_name": "<", + "version_value": "740" + }, + { + "version_name": "<", + "version_value": "750" + }, + { + "version_name": "<", + "version_value": "751" + }, + { + "version_name": "<", + "version_value": "752" + }, + { + "version_name": "<", + "version_value": "75A" + }, + { + "version_name": "<", + "version_value": "75B" + }, + { + "version_name": "<", + "version_value": "75C" + }, + { + "version_name": "<", + "version_value": "75D" + }, + { + "version_name": "<", + "version_value": "75E" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "6.1", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross Site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2900374", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2900374" } ] } diff --git a/2020/6xxx/CVE-2020-6230.json b/2020/6xxx/CVE-2020-6230.json index c5b2e93597c..81fdbaaf556 100644 --- a/2020/6xxx/CVE-2020-6230.json +++ b/2020/6xxx/CVE-2020-6230.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6230", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP OrientDB", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "3.0" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP OrientDB, version 3.0, allows an authenticated attacker with script execute/write permissions to inject code that can be executed by the application and lead to Code Injection. An attacker could thereby control the behavior of the application." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "9.1", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Code Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2900118", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2900118" } ] } diff --git a/2020/6xxx/CVE-2020-6231.json b/2020/6xxx/CVE-2020-6231.json index 02bd6b55b13..425a66e0728 100644 --- a/2020/6xxx/CVE-2020-6231.json +++ b/2020/6xxx/CVE-2020-6231.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6231", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.4", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross Site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2879132", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2879132" } ] } diff --git a/2020/6xxx/CVE-2020-6232.json b/2020/6xxx/CVE-2020-6232.json index dbaad7ba757..3091b806756 100644 --- a/2020/6xxx/CVE-2020-6232.json +++ b/2020/6xxx/CVE-2020-6232.json @@ -4,14 +4,75 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6232", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Commerce", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "1811" + }, + { + "version_name": "<", + "version_value": "1905" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.3", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Missing Authorization Check" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2888556", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2888556" } ] } diff --git a/2020/6xxx/CVE-2020-6233.json b/2020/6xxx/CVE-2020-6233.json index ef95c28a63b..7d505ca0c46 100644 --- a/2020/6xxx/CVE-2020-6233.json +++ b/2020/6xxx/CVE-2020-6233.json @@ -4,14 +4,90 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6233", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP S/4 HANA (Financial Products Subledger and Banking Services) (FSAPPL)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "400" + }, + { + "version_name": "<", + "version_value": "450" + }, + { + "version_name": "<", + "version_value": "500" + } + ] + } + }, + { + "product_name": "SAP S/4 HANA (Financial Products Subledger and Banking Services) (S4FPSL)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "100" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP S/4 HANA (Financial Products Subledger and Banking Services), versions - FSAPPL 400, 450, 500 and S4FPSL 100, allows an authenticated user to run an analysis report due to Missing Authorization Check, resulting in slowing the system." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "4.3", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Missing Authorization Check" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2904796", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2904796" } ] } diff --git a/2020/6xxx/CVE-2020-6234.json b/2020/6xxx/CVE-2020-6234.json index 545818b94b2..31753feba8d 100644 --- a/2020/6xxx/CVE-2020-6234.json +++ b/2020/6xxx/CVE-2020-6234.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6234", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Host Agent", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "7.21" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Host Agent, version 7.21, allows an attacker with admin privileges to use the operation framework to gain root privileges over the underlying operating system, leading to Privilege Escalation." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "7.2", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege Escalation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2902645", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2902645" } ] } diff --git a/2020/6xxx/CVE-2020-6235.json b/2020/6xxx/CVE-2020-6235.json index 99033ed465a..cf6083f7e01 100644 --- a/2020/6xxx/CVE-2020-6235.json +++ b/2020/6xxx/CVE-2020-6235.json @@ -4,14 +4,71 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6235", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Solution Manager (Diagnostics Agent)", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "7.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Solution Manager (Diagnostics Agent), version 7.2, does not perform the authentication check for the functionalities of the Collector Simulator, leading to Missing Authentication." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "3.8", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Missing authentication" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2906994", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2906994" } ] } diff --git a/2020/6xxx/CVE-2020-6236.json b/2020/6xxx/CVE-2020-6236.json index e50bbe7a2dd..a7b918260b9 100644 --- a/2020/6xxx/CVE-2020-6236.json +++ b/2020/6xxx/CVE-2020-6236.json @@ -4,14 +4,82 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6236", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Landscape Management", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "3.0" + } + ] + } + }, + { + "product_name": "SAP Adaptive Extensions", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "1.0" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, version 1.0, allows an attacker with admin_group privileges to change ownership and permissions (including S-user ID bit s-bit) of arbitrary files remotely. This results in the possibility to execute these files as root user from a non-root context, leading to Privilege Escalation." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "7.2", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege Escalation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2902456", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2902456" } ] } diff --git a/2020/6xxx/CVE-2020-6237.json b/2020/6xxx/CVE-2020-6237.json index 74b852594ab..7badb243e39 100644 --- a/2020/6xxx/CVE-2020-6237.json +++ b/2020/6xxx/CVE-2020-6237.json @@ -4,14 +4,75 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6237", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "4.1" + }, + { + "version_name": "<", + "version_value": "4.2" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Under certain conditions, SAP Business Objects Business Intelligence Platform, version 4.1, 4.2, dswsbobje web application allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "7.5", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2898077", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2898077" } ] } diff --git a/2020/6xxx/CVE-2020-6238.json b/2020/6xxx/CVE-2020-6238.json index bde3507e52c..2618dee25f6 100644 --- a/2020/6xxx/CVE-2020-6238.json +++ b/2020/6xxx/CVE-2020-6238.json @@ -4,14 +4,87 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-6238", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP SE", + "product": { + "product_data": [ + { + "product_name": "SAP Commerce", + "version": { + "version_data": [ + { + "version_name": "<", + "version_value": "6.6" + }, + { + "version_name": "<", + "version_value": "6.7" + }, + { + "version_name": "<", + "version_value": "1808" + }, + { + "version_name": "<", + "version_value": "1811" + }, + { + "version_name": "<", + "version_value": "1905" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "9.3", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Missing XML Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", + "refsource": "MISC", + "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202" + }, + { + "url": "https://launchpad.support.sap.com/#/notes/2904480", + "refsource": "MISC", + "name": "https://launchpad.support.sap.com/#/notes/2904480" } ] }