Skip to main content

Enable Now CVE-2020-6178

MEDIUM
Information Exposure (CWE-200)
2020-03-10 cna@sap.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 10, 2020 - 21:15 nvd
MEDIUM 5.4

DescriptionNVD

SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure.

AnalysisAI

SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure. Affected products include: Sap Enable Now. Version information: version 1911.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2019-0403 CRITICAL
9.8 Dec 11

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed whe

CVE-2019-0341 HIGH
8.8 Aug 14

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. Rated high severity (CVSS

CVE-2019-0405 HIGH
7.5 Dec 11

SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to con

CVE-2019-0404 HIGH
7.5 Dec 11

SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading

CVE-2019-0385 MEDIUM
6.5 Nov 13

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Script

CVE-2023-36918 MEDIUM
6.1 Jul 11

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X

CVE-2023-33988 MEDIUM
6.1 Jul 11

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the C

CVE-2022-35297 MEDIUM
5.4 Oct 11

The application SAP Enable Now does not sufficiently encode user-controlled inputs over the network before it is placed

CVE-2019-0340 MEDIUM
5.4 Aug 14

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to

CVE-2023-36919 MEDIUM
5.3 Jul 11

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the R

CVE-2024-34692 MEDIUM
4.6 Jul 09

Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary

CVE-2021-27637 MEDIUM
4.6 Jun 09

Under certain conditions SAP Enable Now (SAP Workforce Performance Builder - Manager), versions - 1.0, 10 allows an atta

Share

CVE-2020-6178 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy