Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver AS Java 7.5 Webdynpro
Vendor URL: SAP
Bugs: Information disclosure
Reported: 22.04.2016
Vendor response: 23.04.2016
Date of Public Advisory: 08.11.2016
Reference: SAP Security Note 2342940
Author: Mathieu Geli (ERPScan)


Webdynpro component allows anonymously to enter URL and to send a fixed (SLD specific) payload to it.

Business risk

An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn about a system and to plan other attacks.