SAP released its monthly critical patch update for July 2011 which closes about 40 vulnerabilities in SAP products. 9 of them were found by different experts. Traditionally, ERPScan researchers Dmitriy Chastuhin and Dmitriy Evdokimov who found 2 vulnerabilities are among them.
SAP traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
Most critical vulnerability is found in BAPI component and can be exploited to execute the unwanted functions without authorization. A malicious user may use this to impersonate the user on the front-end system and get the access to all the information with the same rights as a target user. It is highly recommended to patch all those issues to prevent business risks. Solutions for those issues are available in SAP Security Notes: 546307, 1599550.
Advisories for those issues with technical details will be available in 3 months on erpscan.com. Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.