CVE-2017-15293
CRITICALSAP Point of Sale Xpress Server - Unauthenticated Improper Authentication
Title source: llmDescription
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100713
Issue Tracking, Vendor Advisory x_refsource_misc
https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/
Third Party Advisory x_refsource_misc
https://erpscan.io/advisories/erpscan-17-032-sap-pos-missing-authentication-xpressserver/
Third Party Advisory x_refsource_misc
https://erpscan.io/research/hacking-sap-pos/
Scores
CVSS v3
9.8
EPSS
0.0141
EPSS Percentile
80.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (2)
sap/point_of_sale_xpress_server
1020
sap/point_of_sale_xpress_server
1030
Published
Oct 16, 2017
Tracked Since
Feb 18, 2026