SAP has released monthly critical patch update for March 2012. This patch update closes many vulnerabilities in SAP products. This month, 2 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.
Detailed list of corrected vulnerabilities is below:
- An XSS vulnerability was found in SAP Portal. An attacker can use the XSS vulnerability by sending a link to malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by victim. Update is available in SAP Security Note 1656549. Criticality, according to CVSS, is 4.3.
- Missing authorization checks in RFC function from BASIS module. Update is available in SAP Security Note 1657891. Criticality, according to CVSS, is 2.3. An attacker can execute vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threats from information disclosure to full system compromise.
SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from DSecRG on their acknowledgement page.
It is highly recommended to patch all those issues to prevent business risks.
Advisories for those issues with technical details will be available within 3 months on ERPScan.com and also on DSecRG.com.
Exploits will be available soon in ERPScan Security Scanner - innovative SAP vulnerability assessment solution.