Application: SAP NetWeaver Versions Affected: 7.30 (Basis 720 SP 0, Kernel 720 patch 68) Vendor URL: http://www.sap.com Bugs: SQL injection Exploits: NO Reported: 22.10.2012 Vendor response: 23.10.2012 Date of Public Advisory: 30.10.2013 Reference: SAP Note 1783795 CVSS: AV:N/AC:M/AU:S/C:P/I:P/A:P 6.0 Author: Nikolay Mescherin (ERPScan)
DescriptionAn attacker can use specially crafted inputs to modify database commands. This results in either retrieval of additional information, or modification of the data persisted by the system.
By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.