CVE-2017-15293

Published: Oct 16, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.

Affected (2)

Products: Sap: Point Of Sale Xpress Server

Sap

1 product

Point Of Sale Xpress Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sap Point Of Sale Xpress Server	Version 1020
Sap Point Of Sale Xpress Server	Version 1030

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (8)

http://www.securityfocus.com/bid/100713

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/

Source: cve@mitre.org

Issue TrackingVendor Advisory

https://erpscan.io/advisories/erpscan-17-032-sap-pos-missing-authentication-xpressserver/

Source: cve@mitre.org

https://erpscan.io/research/hacking-sap-pos/

Source: cve@mitre.org

http://www.securityfocus.com/bid/100713

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://erpscan.io/advisories/erpscan-17-032-sap-pos-missing-authentication-xpressserver/

Source: af854a3a-2127-422b-91ae-364da2661108

https://erpscan.io/research/hacking-sap-pos/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.