Vulnerability Details : CVE-2017-15293
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.
Vulnerability category: BypassGain privilege
Products affected by CVE-2017-15293
- cpe:2.3:a:sap:point_of_sale_xpress_server:1020:*:*:*:*:*:*:*
- cpe:2.3:a:sap:point_of_sale_xpress_server:1030:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15293
0.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15293
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-15293
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15293
-
https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/
SAP Security Patch Day – September 2017 | SAP BlogsIssue Tracking;Vendor Advisory
-
http://www.securityfocus.com/bid/100713
SAP Point of Sale (POS) Retail Xpress Server Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://erpscan.io/research/hacking-sap-pos/
How to buy MacBook for $1, or hacking SAP POS | SAP Cyber Security Solutions
-
https://erpscan.io/advisories/erpscan-17-032-sap-pos-missing-authentication-xpressserver/
[ERPSCAN-17-032] SAP POS Missing Authentication in XpressServer
Jump to