Security Experts:

Connect with us

Hi, what are you looking for?



SAP Releases August 2020 Security Updates

SAP this week announced the release of 15 new Security Notes as part of the August 2020 SAP Security Patch Day, including some that address serious vulnerabilities in NetWeaver.

SAP this week announced the release of 15 new Security Notes as part of the August 2020 SAP Security Patch Day, including some that address serious vulnerabilities in NetWeaver.

The most important of these is a cross-site scripting (XSS) flaw in the Knowledge Management component of NetWeaver. Tracked as CVE-2020-6284 and featuring Hot News priority, the issue has a CVSS score of 9.

A default component of all SAP Enterprise Portal installations, Knowledge Management allows users to manage data sources in multiple formats, to create and modify content and folders, as well as upload files.

The upload function, ERP cyber-security provider Onapsis reveals, could be exploited to upload malicious HTML files containing JavaScript code, to perform a stored XSS attack. The issue was related to an inefficient filtering mechanism meant to prevent the upload of files injected with executable code.

Successful exploitation of the vulnerability requires for a user with administrative privileges to access the malicious file, which lowers the CVSS score to 9 — otherwise it would have been 9.9.

Another Hot News Security Note released on this Security Patch Day is an update for a July 2020 Security Note that addresses a critical bug (CVSS score 10) in NetWeaver AS JAVA (LM Configuration Wizard) that is tracked as CVE-2020-6287 and which is also referred to as RECON (Remotely Exploitable Code On NetWeaver).

On the August 2020 Security Patch Day, SAP also released three High Priority Security Notes addressing vulnerabilities in NetWeaver: CVE-2020-6296 (CVSS score 8.3) – code injection in NetWeaver (ABAP) and ABAP Platform; CVE-2020-6309 (CVSS score 7.5) – missing authentication in NetWeaver AS JAVA; and CVE-2020-6293 (CVSS score 7.3) – unrestricted file upload in NetWeaver (Knowledge Management).

According to Onapsis, if a patch for the Hot News flaw in Knowledge Management is not applied, CVE-2020-6293 – which allows an attacker to create, modify, or delete files in the Knowledge Management component – can be exploited without authentication, which essentially increases its CVSS score to 9.6, making it a critical flaw.

SAP also released two High Priority Security Notes to patch missing authentication checks, one in the BusinessObjects Business Intelligence Platform – CVE-2020-6294 (CVSS score 8.5) – and another in Banking Services (Generic Market Data) – CVE-2020-6298 (CVSS score 8.3) – and another to resolve an information disclosure flaw in Adaptive Server Enterprise – CVE-2020-6295 (CVSS score 7).

Exploitation of some of these bugs could lead to denial of service, the leakage of mouse and keyboard activities and the ability to record screenshots, reading protected Business Partner Generic Market Data (GMD), or reading information in the installation log files.

All of the remaining Security Notes released on the August 2020 Security Patch Day address Medium Priority bugs, including XSS vulnerabilities in SAP Commerce, modified jQuery bundled with SAPUI5, and Business Objects Business Intelligence Platform (Central Management Console); information disclosure in Data Intelligence, and NetWeaver (ABAP Server) and ABAP Platform; and missing authorization checks in ERP (HCM Travel Management) and S/4 HANA (Fiori UI for General Ledger Accounting).

Related: SAP Releases 10 Security Notes on July 2020 Patch Day

Related: Critical Vulnerability Patched in SAP Commerce

Related: Open Source Tool Checks SAP Systems for RECON Attack IOCs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet