SAP released ist monthly critical patch update for March 2012 which closes many vulnerabilities in SAP products. This month, 2 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.
The detailed list of the corrected vulnerabilities is below:
- An XSS vulnerability was found in SAP Portal. An attacker can use the XSS vulnerability by sending a link with a malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can get the access to the user session and gain control over the business-critical information which can be accessed by a victim. The update is available in SAP Security Note 1656549. The criticality, according to CVSS, is 4.3.
- Missing authorization checks in an RFC function from the BASIS module. The update is available in SAP Security Note 1657891. The criticality, according to CVSS, is 2.3. An attacker can execute vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threats from an information disclosure to the full system compromise.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers on their acknowledgement page.
It is highly recommended to patch all those issues to prevent business risks.
Advisories for those issues with technical details will be available within 3 months on ERPScan.com.
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution.