[ERPSCAN-11-035] SAP GUI BAPI Explorer- Unauthorized execution of function
Application: SAP NetWeaver
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Date of Public Advisory:11.11.2011
Author: Dmitriy Chastuchin
SAP GUI BAPI Explorer has stored XSS which can be used to unauthorized code execution on server side.
Legitimate user of SAP can insert a malicious script into transaction code which can run any function without authorisation or get access to OS.