Vulnerability Details : CVE-2017-15293
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2017-15293
Probability of exploitation activity in the next 30 days: 0.83%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 80 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-15293
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-15293
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15293
-
https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/
SAP Security Patch Day – September 2017 | SAP BlogsIssue Tracking;Vendor Advisory
-
http://www.securityfocus.com/bid/100713
SAP Point of Sale (POS) Retail Xpress Server Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://erpscan.io/research/hacking-sap-pos/
How to buy MacBook for $1, or hacking SAP POS | SAP Cyber Security Solutions
-
https://erpscan.io/advisories/erpscan-17-032-sap-pos-missing-authentication-xpressserver/
[ERPSCAN-17-032] SAP POS Missing Authentication in XpressServer
Products affected by CVE-2017-15293
- cpe:2.3:a:sap:point_of_sale_xpress_server:1020:*:*:*:*:*:*:*
- cpe:2.3:a:sap:point_of_sale_xpress_server:1030:*:*:*:*:*:*:*