The nearly crucial of these is a queer - internet site script ( XSS ) defect in NetWeaver ’s Knowledge Management boast . chase as CVE-2020 - 6284 and with anteriority in Hot News , the trouble bear a seduce of 9 in CVSS . Knowledge management , a nonremittal boast of all SAP Enterprise portal site initiation , earmark exploiter to wangle multiform datum generator , flesh and vary subject matter and directory , and upload single file . The upload sport , unwrap ERP cyber - security measure supplier Onapsis , could be used to upload JavaScript encipher carry malicious HTML register to put to death a store XSS onslaught . The job was referable to an ineffectual strain organisation plan to keep the upload of filing cabinet with viable cipher slip in . successful exploitation of the vulnerability call for accession to the malicious file by a substance abuser with administrative prerogative that cut the CVSS grievance to 9 — other than it would have been 9.9 . Another Hot News Security Note bring out on this Security Patch Day is an update to a July 2020 Security Note call a critical microbe ( CVSS rack up 10 ) in NetWeaver AS JAVA ( LM Configuration Wizard ) that is get over as CVE-2020 - 6287 and as well forebode RECON ( remotely Exploitable Code On NetWeaver ) . SAP too issue three High Priority Security Notes on the August 2020 Security Patch Day speak vulnerability in NetWeaver : CVE-2020 - 6296 ( CVSS grade 8.3 ) – encrypt injectant in NetWeaver ( ABAP ) and ABAP Platform ; CVE-2020 - 6309 ( CVSS score 7.5 ) – absent assay-mark in NetWeaver AS coffee ; and CVE-2020 - 6293 ( CVSS rack up 7.3 ) – uncontrolled upload of file away to NetWeaver ( Knowledge Management ) . accord to Onapsis , if a desexualise for the Knowledge Management Hot News tap is not apply , so CVE-2020 - 6293 – which enable an intruder to bod , transfer or murder file cabinet in the Knowledge Management part – may be exploited without authentication , which significantly increment its CVSS scotch to 9.6 , wee it a decisive tap . SAP too issue two High Priority Security Notes for patch up uncompleted assay-mark exam , one on the Business Objects Business Intelligence System – CVE-2020 - 6294 ( CVSS scotch 8.5 ) – and one on the Banking Services ( Generic Market Data ) – CVE-2020 - 6298 ( CVSS tally 8.3 ) – and the early on the Adaptive Server Enterprise ( CVSS grade 7 ) . victimization of any of these hemipterous insect may guide to self-abnegation of service of process , leakage of shiner and keyboard body process and capableness to immortalize screenshots , read Secure Business Partner Generic Market Data ( GMD ) , or translate entropy in the instalment lumber file cabinet . All persist Security Notes go forth on Security Patch Day in August 2020 make medium priority tap , include XSS exposure in SAP Commerce , update jQuery pack with SAPUI5 , and Business Objects Business Intelligence Platform ( Central Management Console ) ; revealing of entropy in Data Intelligence , and NetWeaver ( ABAP Server ) and ABAP Platform ; and uncompleted authority test in ERP ( HCM Travel Management ) and S/4 HANA ( Fiori UI for General Ledger Accounting ) .