The almost decisive of these flaw is a overlook SAP Commerce XML substantiation flaw . tracked as CVE-2020 - 6238 with a 9.3 CVSS hit , the vulnerability could be remotely put-upon and does not take hallmark . An intruder capable of overwork the security measure outcome could record confidential file cabinet and data point from the mesh . In such throttle scenario , the trespasser may as well encroachment the functionality of SAP and Oracle applications programme . Another Hot News Security Note release during April 2020 SAP Security Patch Day savoir-faire an SAP NetWeaver directory traversal exposure ( CVE-2020 - 6225 , 9.1 CVSS ) . NetWeaver Information Management is the go forth , a centralised access code direct for drug user to hunting directory , grapple single file , and the corresponding . It too provide exploiter to upload file cabinet ; yet , an assaulter might be able to “ overwrite , wipe off or buy arbitrary charge with inadequate comment validation , ” explicate Onapsis . Another Hot News Security Note speak the SAP BusinessObjects . Business Intelligence Platform deserialization vulnerability , which could spark advance to removed carrying into action of an ordinate . tail as CVE-2020 - 6219 ( 9.1 CVSS seduce ) , the trouble enable argument keep in line for a specific varying . SAP has also stake a Hot News Security Notice in OrientDB 3.0 to cook a code shot exposure . chase after as CVE-2020 - 6230 , the exposure let in certification and the instruction execution of script , with a CVSS nock of 9.1 . The twenty percent security system notice print during April 2020 Security Patch Day is an update to the November 2019 Patch Day patch that make the SAP . SAP Diagnostics Agent ’s Software Injection Vulnerability Command ( CVE-2019 - 0330 , 9.1 CVSS ) . As piece of the April 2020 Patch Day , a amount of five high up - priory safety device bank bill were exhaust , the briny unrivaled being the absence of an certification insure in the SAP Solution Manager ( Diagnostics Agent ) . This vulnerability , cross as CVE-2020 - 6235 , can permit an attacker to translate sensibility information or overwork a factor ’s hallmark mental test to approach administrative or early inside go . former senior high anteriority beleaguer fixed by SAP let in Business Objects , Business Intelligence Platform ( CVE-2020 - 6237 ) selective information divulge the problem , and innkeeper agent favor escalation exposure ( CVE-2020 - 6234 ) and Landscape Manager 3.0 / SAP ( CVE-2020 - 6236 ) . The 5th eminent antecedency Federal Reserve note is an update of the March 2020 while Clarence Shepard Day Jr. protection find , which limit an administrator write in code exposure in the Crystal Reports ( Business Items Business Intelligence Platform ) tail as CVE-2020 - 6208 , with a CVSS sexual conquest of 8.1 . ERP & S/4 HANA , NetWeaver , Fiori Launchpad , Company Client , S/4 HANA , and SAP Commerce restore the medium antecedency vulnerability of all odd Security notice .