By Ionut Arghire on September 09, 2020
SAP this week announced the release of 10 new Security Notes as part of its September 2020 Security Patch Day, as well as updates for 6 previous Security Notes.
Two of the Security Notes are rated Hot News and address critical flaws in SAP Marketing - Mobile Channel Servlet (CVE-2020-6320 – improper access control) and NetWeaver (ABAP Server) and ABAP Platform (CVE-2020-6318 – code injection), which feature CVSS scores of 9.6 and 9.1, respectively.
Mobile Channel Servlet enables mobile campaigns in which push notifications are sent to Android and iOS devices via Google Firebase. The critical flaw addressed this week allows an authenticated attacker to access restricted functions.