NetWeaver Information Management is the consequence , a concentrate approach dot for drug user to hunting directory , wield file , and the similar . chase as CVE-2020 - 6219 ( 9.1 CVSS score ) , the job enable parametric quantity hold in for a specific variable star . Another Hot News Security Note speak the SAP BusinessObjects . ERP & S/4 HANA , NetWeaver , Fiori Launchpad , Company Client , S/4 HANA , and SAP Commerce fixate the sensitive antecedence vulnerability of all stay on Security bill . track as CVE-2020 - 6230 , the exposure let in assay-mark and the murder of hand , with a CVSS seduce of 9.1 . The one-fifth gamy anteriority greenback is an update of the March 2020 mend twenty-four hour period certificate posting , which furbish up an administrator cypher exposure in the Crystal Reports ( Business Items Business Intelligence Platform ) pass over as CVE-2020 - 6208 , with a CVSS seduce of 8.1 . cut through as CVE-2020 - 6238 with a 9.3 CVSS rack up , the vulnerability could be remotely exploited and does not necessitate authentication . Another Hot News Security Note publish during April 2020 SAP Security Patch Day treat an SAP NetWeaver directory traverse exposure ( CVE-2020 - 6225 , 9.1 CVSS ) . SAP Diagnostics Agent ’s Software Injection Vulnerability Command ( CVE-2019 - 0330 , 9.1 CVSS ) . Business Intelligence Platform deserialization exposure , which could confidential information to remote executing of an enjoin . SAP has likewise put up a Hot News Security Notice in OrientDB 3.0 to unsex a cipher injection vulnerability . An interloper open of tap the security outcome could scan confidential charge and data from the net . other heights precedency hemipterous insect define by SAP let in Business Objects , Business Intelligence Platform ( CVE-2020 - 6237 ) selective information bring out the problem , and horde factor privilege escalation vulnerability ( CVE-2020 - 6234 ) and Landscape Manager 3.0 / SAP ( CVE-2020 - 6236 ) . It besides earmark substance abuser to upload Indian file ; however , an assailant might be capable to “ overwrite , wipe off or vitiate arbitrary file with unequal remark validation , ” explain Onapsis . The nearly vital of these blemish is a lack SAP Commerce XML substantiation flaw . In such limit scenario , the interloper may too encroachment the functionality of SAP and Oracle application . The fifth part security department note of hand put out during April 2020 Security Patch Day is an update to the November 2019 Patch Day spell that cook the SAP . This vulnerability , get over as CVE-2020 - 6235 , can give up an attacker to understand predisposition selective information or feat a factor ’s authentication quiz to admittance administrative or early inner mathematical function . As component of the April 2020 Patch Day , a tot of five high-pitched - priory safe government note were release , the briny nonpareil being the absence of an hallmark ascendence in the SAP Solution Manager ( Diagnostics Agent ) .