Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

Mass disclose of vulnerabilities in SAP from ERPScan

This month ERPScan specialists published 8 vulnerabilities of different criticality, found in SAP products.

Vulnerabilities representing almost all risks from the OWASP Top 10: from path traversal and XSS to authorization bypass and code injection - were published on ERPScan.com site.

Every month we publish information about vulnerabilities founded in SAP products by our specialists, but this was a really productive month. We have to say that SAP increased the rate of reaction against vulnerabilities found by third-party researchers. Right now they much faster find solutions for these vulnerabilities, it makes the system more secure. However there is still a huge problem connected with administrators' ignorance and the complexity of installing updates. That's why according to our surveys a huge amount of SAP systems, including those available via internet, contains vulnerabilities, which are already closed by SAP. These companies can be very easy targets for attackers,

— said Alexander Polyakov, the CTO of ERPScan.

Details can be found here:

/advisories/erpscan-11-041-sap-netweaver-authentication-bypass-verb-tampering/

/advisories/erpscan-11-040-sap-netweaver-spml-xml-csrf-user-creation/

/advisories/erpscan-11-039-sap-netweaver-th_grep-module-code-injection-vulnerability-new/

/advisories/erpscan-11-038-sap-rstxscrp-report-smb-relay-vulnerability/

/advisories/erpscan-11-037-sap-bw-doc-multiple-xss/

/advisories/erpscan-11-035-sap-gui-bapi-explorer-unauthorized-execution-of-function/

/advisories/erpscan-11-034-sap-netweaver-j2ee-mesync-information-disclose/