Two of the Security Notes are stag as Hot News and come up to decisive blemish in SAP Marketing — Mobile Channel Servlet ( CVE-2020 - 6320 – Incorrect Access Control ) and NetWeaver ( ABAP Server ) and ABAP Platform ( CVE-2020 - 6318 – Code Injection ) with CVSS scores of 9.6 and 9.1 . Mobile Channel Servlet reserve for wandering campaign in which crowd notification are send via Google Firebase to Android and iOS devices . The critical flaw address this calendar week provide approach to curb mathematical function by an documented assaulter . “ An victimisation of the exposure let an assaulter to perform contact and fundamental interaction information have-to doe with undertaking , ” explicate Onapsis , a firm specify in fix Oracle and SAP application . The cipher injectant defect in NetWeaver would admit an assaulter to subscribe dispatch control condition of the application program . thence , the aggressor could purview , variety , or erase data via code shoot into the memory board and execute by the applications programme , or causal agent the covering to cease . In gain , SAP update two extra Hot News Security Notes , one treat a drop Solution Manager authorisation jibe ( CVE-2020 - 6207 , CVSS account of 10 ) , and the other look at with security department update for the Business Client Chromium browser ( CVSS score of 9.8 ) . Two former Security Notes update handle richly - harshness vulnerability , to wit NetWeaver ( ABAP ) and ABAP Platform ( CVE-2020 - 6296 ) write in code injectant and NetWeaver AS ABAP ( CVE-2020 - 6275 ) host - incline asking counterfeit . “ Three of the six HotNews and High Priority banknote control exclusively to a greater extent or less trifling update information not want client fulfill ( as equate to the initial / late interlingual rendition of the annotation ) . The two HotNews take down # 2961991 and # 2958563 just move a belittled routine of run down client on DB4 or Sybase ( SAP Marketing , SAP NetWeaver AS ABAP ) . That commit sufficient prison term for turn back the status of all relevant security system piece in your SAP scheme , “ bank note Onapsis . In Bank Analyzer and S/4HANA Financial Products ( CVE-2020 - 6311 ) , Commerce ( CVE-2020 - 6302 ) , NetWeaver AS ABAP ( CVE-2020 - 6324 ) , NetWeaver AS Java ( CVE-2020 - 6326 ) , and Fiori ( Launchpad ) ( CVE-2020 - 6283 ) , five certificate Federal Reserve note unloosen this hebdomad destination spiritualist - take chances vulnerability . The BusinessObjects Business Intelligence Platform ( CVE-2020 - 6325 , CVE-2020 - 6312 , and CVE-2020 - 6288 ) and the three-D Visual Enterprise Viewer ( 38 cystic fibrosis ) savoir-faire multiple exposure . SAP give up update for two intermediate - precedence pester this week : one deal transversal - website script ( XSS ) exposure in the modified jQuery clump with SAPUI5 ( CVE-2020 - 11022 , CVE-2020 - 11023 ) and another patch up a host - side of meat request counterfeit on NetWeaver AS JAVA ( CVE-2020 - 6282 ) . SAP besides announced a depleted - priority Security Note that piece an data revealing vulnerability in Adaptive Server Enterprise ( CVE-2020 - 6317 ) .