CVE-2017-15293

critical

Description

Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.

References

https://erpscan.io/research/hacking-sap-pos/

https://erpscan.io/advisories/erpscan-17-032-sap-pos-missing-authentication-xpressserver/

https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/

http://www.securityfocus.com/bid/100713

Details

Source: Mitre, NVD

Published: 2017-10-16

Updated: 2025-04-20

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H