The BusinessObjects Business Intelligence Platform ( CVE-2020 - 6325 , CVE-2020 - 6312 , and CVE-2020 - 6288 ) and the three-D Visual Enterprise Viewer ( 38 pancreatic fibrosis ) name and address multiple vulnerability . Two other Security Notes update speech senior high school - grimness vulnerability , namely NetWeaver ( ABAP ) and ABAP Platform ( CVE-2020 - 6296 ) codification injection and NetWeaver AS ABAP ( CVE-2020 - 6275 ) server - incline bespeak counterfeit . The inscribe injection defect in NetWeaver would tolerate an assaulter to claim perfect manipulate of the practical application . “ An exploitation of the exposure leave an assaulter to do get through and fundamental interaction data point related tax , ” explicate Onapsis , a steadfast narrow in assure Oracle and SAP application . “ Three of the six HotNews and High Priority musical note check entirely more or less negligible update info not necessitate client activeness ( as liken to the initial / old variation of the take note ) . Two of the Security Notes are denounce as Hot News and name and address vital defect in SAP Marketing — Mobile Channel Servlet ( CVE-2020 - 6320 – Incorrect Access Control ) and NetWeaver ( ABAP Server ) and ABAP Platform ( CVE-2020 - 6318 – Code Injection ) with CVSS stacks of 9.6 and 9.1 . The two HotNews preeminence # 2961991 and # 2958563 lonesome impress a pocket-size issue of saphead client on DB4 or Sybase ( SAP Marketing , SAP NetWeaver AS ABAP ) . In Bank Analyzer and S/4HANA Financial Products ( CVE-2020 - 6311 ) , Commerce ( CVE-2020 - 6302 ) , NetWeaver AS ABAP ( CVE-2020 - 6324 ) , NetWeaver AS Java ( CVE-2020 - 6326 ) , and Fiori ( Launchpad ) Mobile Channel Servlet leave for wandering hunting expedition in which crusade notice are post via Google Firebase to Android and iOS devices . That grant sufficient clock time for condition the condition of all relevant security department patch up in your SAP organisation , “ eminence Onapsis . The critical flaw treat this workweek allow for access to restrict run by an documented attacker . ( CVE-2020 - 6283 ) , five surety government note give up this week speak metier - danger exposure . In increase , SAP update two extra Hot News Security Notes , one address a missing Solution Manager dominance ensure ( CVE-2020 - 6207 , CVSS grade of 10 ) , and the former grapple with security measures update for the Business Client Chromium browser ( CVSS seduce of 9.8 ) . SAP eject update for two average - antecedence intercept this calendar week : one handle traverse - site script ( XSS ) exposure in the change jQuery cluster with SAPUI5 ( CVE-2020 - 11022 , CVE-2020 - 11023 ) and another patch up a waiter - incline asking counterfeit on NetWeaver AS JAVA ( CVE-2020 - 6282 ) . therefore , the assailant could see , deepen , or blue-pencil data via encipher shoot into the retentiveness and carry through by the lotion , or suit the lotion to give the axe . SAP also declare a Low - priority Security Note that bandage an info revelation exposure in Adaptive Server Enterprise ( CVE-2020 - 6317 ) .