Child pages
  • SAP Security Patch Day – October 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 13th of October 2020, SAP Security Patch Day saw the release of 15 Security Notes. There were 6 updates to previously released Patch Day Security Notes.

List of security notes released on October Patch Day:

Note#TitlePriorityCVSS
2969828[CVE-2020-6364OS Command Injection Vulnerability in CA Introscope Enterprise Manager (Affected Products: SAP Solution Manager and SAP Focused Run)
Product - SAP Solution Manager (CA Introscope Enterprise Manager) and SAP Focused Run (CA Introscope Enterprise Manager), Versions - WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7
Hot News10
2622660Update to security note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News9.8
2941667Update to security note released on August 2020 Patch Day:
[CVE-2020-6296] Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform
Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755 
High8.3
2972661[CVE-2020-6367Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
Product- SAP NetWeaver Composite Application Framework, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
High8.2
2969457[CVE-2020-6366] Missing XML Validation in SAP NetWeaver (Compare Systems)
Product - SAP NetWeaver (Compare Systems), Versions - 7.20, 7.30, 7.31, 7.40, 7.50
High7.6
2971638

[CVE-2020-6369Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run)
Product - CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run), Versions - 9.7, 10.1, 10.5, 10.7

High7.5
2941315Update to security note released on August 2020 Patch Day:
[CVE-2020-6309] Missing Authentication check in SAP NetWeaver AS JAVA
Product - SAP NetWeaver AS JAVA (ENGINEAPI versions - 7.10, 7.10; WSRM versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 and J2EE-FRMW versions - 7.10, 7.11)
High7.5
2898077Update to security note released on April 2020 Patch Day:
[CVE-2020-6237] Information Disclosure in SAP Business Objects Business Intelligence Platform (dswsbobje Web Application)
Product - SAP Business Objects Business Intelligence Platform, Versions - 4.1, 4.2 
High7.5
2902456Update to security note released on April 2020 Patch Day:
[CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions)
Product - SAP Landscape Management, Version - 3.0
Product-SAP Adaptive Extensions, Version - 1.0
High7.2
2956398[CVE-2020-6319Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java
Product - SAP NetWeaver Application Server Java, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium6.1
2973497[CVE-2020-6315] Multiple Vulnerabilities in SAP 3D Visual Enterprise Viewer
Additional CVEs CVE-2020-6372CVE-2020-6373CVE-2020-6374CVE-2020-6375CVE-2020-6376
Product SAP 3D Visual Enterprise Viewer, Version - 9
Medium5.7
2917381[CVE-2020-6272] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud
Product SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005 
Medium5.4
2960825[CVE-2020-6368Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation
Product SAP Business Planning and Consolidation, Versions - 750, 751, 752, 753, 754, 755, 810, 100, 200 
Medium5.4
2949196Update to security note released on August 2020 Patch Day:
[CVE-2020-6301] Missing Authorization check in SAP ERP (HCM Travel Management)
Product - SAP ERP (HCM Travel Management); Versions - 600, 602, 603, 604, 605, 606607, 608 
Medium5.4
2943844[CVE-2020-6308Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 
Medium5.3
2939419[CVE-2020-6370Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (DI Design Time Repository)
Product - SAP NetWeaver (DI Design Time Repository), Versions - 7.11, 7.30, 7.31, 7.40, 7.50
Medium4.8
2965315[CVE-2020-6365Reverse Tabnabbing vulnerability in SAP NetWeaver AS Java Start Page
Product - SAP NetWeaver Application Server Java, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium4.7
2960329[CVE-2020-6323Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (Fiori Framework Page)
Product - SAP NetWeaver Enterprise Portal (Fiori Framework Page), Versions - 7.50, 7.31, 7.40
Medium4.4
2963137[CVE-2020-6371Information disclosure in SAP NetWeaver AS ABAP via the POWL Test Feeder endpoint
Product - SAP NetWeaver Application Server ABAP (POWL test application), Versions - 710, 711, 730, 731, 740, 750
Medium4.3
2953212[CVE-2020-6362] Incorrect Authorization in SAP Banking Services
Product - SAP Banking Services, Version - 500
Medium4.3
2965287[CVE-2020-6363] Insufficient Session Expiration in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005
Low3.7

, ________________________________________________________________________________

Vulnerability Type Distribution -  October 2020

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (May 2020 – October 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after September 8, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'September 9, 2020 - October 13, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels