Leading SAP AG partner in discovering and solving security vulnerabilities                                 Request DEMO             
DSECRG Advisories

[ERPSCAN-14-002] SAP Portal WebDynPro – Path disclosure

Application: SAP NetWeaver JAVA
Versions Affected: SAP NetWeaver J2EE
Vendor URL: http://www.sap.com
Bugs: Information Disclosure
Exploits: YES
Reported: 20.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 25.01.2014
Reference: SAP Note 1852146
CVSS: AV:N/AC:L/AU:N/C:P/I:N/A:N 5.0
Author: Alexander Polyakov (ERPScan)

Description

Information disclosure in SAP Portal WebDynPro.

Business Risk

An attacker can use an information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn more about the system and to plan other attacks.