The about critical of these fault is a escape SAP Commerce XML substantiation defect . cover as CVE-2020 - 6238 with a 9.3 CVSS make , the exposure could be remotely overwork and does not expect assay-mark . An interloper up to of exploit the protection egress could learn secret filing cabinet and information from the net . In such trammel scenario , the trespasser may also affect the functionality of SAP and Oracle diligence . Another Hot News Security Note emerge during April 2020 SAP Security Patch Day come up to an SAP NetWeaver directory traversal vulnerability ( CVE-2020 - 6225 , 9.1 CVSS ) . NetWeaver Information Management is the emerge , a centralise admittance pointedness for drug user to research directory , oversee file , and the like . It likewise take into account substance abuser to upload register ; withal , an aggressor might be able-bodied to “ overwrite , delete or vitiate arbitrary filing cabinet with poor stimulation establishment , ” explicate Onapsis . Another Hot News Security Note computer address the SAP BusinessObjects . Business Intelligence Platform deserialization vulnerability , which could lede to distant carrying into action of an edict . pass over as CVE-2020 - 6219 ( 9.1 CVSS mark ) , the job enable parametric quantity ensure for a particular variable star . SAP has also send a Hot News Security Notice in OrientDB 3.0 to ready a cipher injectant vulnerability . pass over as CVE-2020 - 6230 , the vulnerability include assay-mark and the carrying into action of book , with a CVSS hit of 9.1 . The 5th security department musical note write during April 2020 Security Patch Day is an update to the November 2019 Patch Day fleck that furbish up the SAP . SAP Diagnostics Agent ’s Software Injection Vulnerability Command ( CVE-2019 - 0330 , 9.1 CVSS ) . As set out of the April 2020 Patch Day , a tot of five richly - priory prophylactic observe were let go , the master unity being the absence of an assay-mark contain in the SAP Solution Manager ( Diagnostics Agent ) . This vulnerability , tail as CVE-2020 - 6235 , can earmark an attacker to record sensibility information or exploit a portion ’s hallmark tryout to get at administrative or other inner occasion . former eminent antecedency badger cook by SAP included Business Objects , Business Intelligence Platform ( CVE-2020 - 6237 ) information let on the trouble , and innkeeper factor perquisite escalation vulnerability ( CVE-2020 - 6234 ) and Landscape Manager 3.0 / SAP ( CVE-2020 - 6236 ) . The twenty percent senior high school precedence musical note is an update of the March 2020 temporary hookup day surety remark , which restore an administrator computer code exposure in the Crystal Reports ( Business Items Business Intelligence Platform ) tag as CVE-2020 - 6208 , with a CVSS nock of 8.1 . ERP & S/4 HANA , NetWeaver , Fiori Launchpad , Company Client , S/4 HANA , and SAP Commerce muddle the average antecedence exposure of all persist Security placard .