Authentication flaw

2017-10-1616:29:00

PRIOn knowledge base

www.prio-n.com

9.4 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

82.1%

JSON

Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.

CPENameOperatorVersion
point_of_sale_xpress_servereq1020
point_of_sale_xpress_servereq1030

CPE	Name	Operator	Version
	point_of_sale_xpress_server	eq	1020
	point_of_sale_xpress_server	eq	1030

References

www.securityfocus.com/bid/100713

blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/

erpscan.io/advisories/erpscan-17-032-sap-pos-missing-authentication-xpressserver/

erpscan.io/research/hacking-sap-pos/