Every month we publish information about vulnerabilities founded in SAP products by our specialists, but this was a really productive month. We have to say that SAP increased the rate of reaction against vulnerabilities found by third-party researchers. Right now they much faster find solutions for these vulnerabilities, it makes the system more secure. However there is still a huge problem connected with administrators’ ignorance and the complexity of installing updates. That’s why according to our surveys a huge amount of SAP systems, including those available via internet, contains vulnerabilities, which are already closed by SAP. These companies can be very easy targets for attackers,— said Alexander Polyakov, the CTO of ERPScan.
Details can be found here:
http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/
http://erpscan.com/advisories/dsecrg-11-040-sap-netweaver-spml-xml-csrf-user-creation/
http://erpscan.com/advisories/dsecrg-11-039-sap-netweaver-th_grep-module-code-injection-vulnerability-new/
http://erpscan.com/advisories/dsecrg-11-038-sap-rstxscrp-report-smb-relay-vulnerability/
http://erpscan.com/advisories/dsecrg-11-037-sap-bw-doc-multiple-xss/
http://erpscan.com/advisories/dsecrg-11-036-sap-netwaver-virus-scan-interface-multiple-xss/
http://erpscan.com/advisories/dsecrg-11-035-sap-gui-bapi-explorer-unauthorized-execution-of-function/
http://erpscan.com/advisories/dsecrg-11-034-sap-netweaver-j2ee-mesync-%e2%80%93-information-disclose/
