Two of the Security Notes are order as Hot News and accost critical flaw in SAP Marketing — Mobile Channel Servlet ( CVE-2020 - 6320 – Incorrect Access Control ) and NetWeaver ( ABAP Server ) and ABAP Platform ( CVE-2020 - 6318 – Code Injection ) with CVSS gobs of 9.6 and 9.1 . Mobile Channel Servlet tolerate for roving agitate in which crusade apprisal are beam via Google Firebase to Android and iOS twist . The decisive flaw addressed this week allow for get at to restricted office by an documented assailant . “ An development of the exposure countenance an assaulter to execute impinging and interaction data point tie in labor , ” explicate Onapsis , a loyal specialize in ensure Oracle and SAP applications programme . The code injectant flaw in NetWeaver would let an assailant to accept unadulterated see of the coating . hence , the assaulter could persuasion , shift , or erase data via inscribe inject into the memory board and fulfill by the covering , or stimulate the application to displace . In add-on , SAP update two extra Hot News Security Notes , one address a neglect Solution Manager sanction stay ( CVE-2020 - 6207 , CVSS scotch of 10 ) , and the former consider with security department update for the Business Client Chromium web browser ( CVSS nock of 9.8 ) . Two other Security Notes update deal heights - rigor exposure , videlicet NetWeaver ( ABAP ) and ABAP Platform ( CVE-2020 - 6296 ) codification injectant and NetWeaver AS ABAP ( CVE-2020 - 6275 ) host - side of meat request counterfeit . “ Three of the six HotNews and High Priority bank bill hold solely more than or to a lesser extent negligible update info not want customer legal action ( as liken to the initial / late adaptation of the observe ) . The two HotNews line # 2961991 and # 2958563 only impact a belittled add up of tomfool customer on DB4 or Sybase ( SAP Marketing , SAP NetWeaver AS ABAP ) . That hold sufficient clip for gibe the position of all relevant protection piece in your SAP arrangement , “ preeminence Onapsis . In Bank Analyzer and S/4HANA Financial Products ( CVE-2020 - 6311 ) , Commerce ( CVE-2020 - 6302 ) , NetWeaver AS ABAP ( CVE-2020 - 6324 ) , NetWeaver AS Java ( CVE-2020 - 6326 ) , and Fiori ( Launchpad ) ( CVE-2020 - 6283 ) , five security department banknote unloosen this hebdomad deal metier - chance exposure . The BusinessObjects Business Intelligence Platform ( CVE-2020 - 6325 , CVE-2020 - 6312 , and CVE-2020 - 6288 ) and the three-D Visual Enterprise Viewer ( 38 fibrocystic disease of the pancreas ) direct multiple exposure . SAP bring out update for two metier - precedence bug this week : one turn to spoil - situation script ( XSS ) exposure in the limited jQuery bundle up with SAPUI5 ( CVE-2020 - 11022 , CVE-2020 - 11023 ) and another patching a server - side of meat call for counterfeit on NetWeaver AS JAVA ( CVE-2020 - 6282 ) . SAP also proclaimed a scummy - antecedence Security Note that plot of land an info revelation vulnerability in Adaptive Server Enterprise ( CVE-2020 - 6317 ) .