Skip to main content

Disclosure Management CVE-2020-6289

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2020-07-14 cna@sap.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 14, 2020 - 13:15 nvd
HIGH 8.8

DescriptionNVD

SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.

AnalysisAI

SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site. Affected products include: Sap Disclosure Management. Version information: version 10.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2018-2404 CRITICAL
9.8 Apr 10

SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation. Rated critic

CVE-2020-6292 HIGH
8.8 Jul 14

Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to

CVE-2020-6291 HIGH
8.8 Jul 14

SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited

CVE-2019-0258 HIGH
8.8 Feb 15

SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, res

CVE-2018-2413 HIGH
8.8 Apr 10

SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in e

CVE-2018-2412 HIGH
8.8 Apr 10

SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in e

CVE-2018-2487 HIGH
8.3 Nov 13

SAP Disclosure Management 10.x allows an attacker to exploit through a specially crafted zip file provided by users: Whe

CVE-2020-6209 HIGH
7.5 Mar 10

SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an authenticated user, allo

CVE-2022-41274 MEDIUM
6.5 Dec 13

SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application

CVE-2018-2403 MEDIUM
6.5 Apr 10

Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise

CVE-2020-26828 MEDIUM
6.4 Dec 09

SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of

CVE-2020-6290 MEDIUM
6.3 Jul 14

SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user

Share

CVE-2020-6289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy