Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

SAP Security Notes May 2012 – Review

SAP

SAP released its monthly critical patch update for May 2012 which closes many vulnerabilities in SAP products. This month, 4 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.

The detailed list of corrected vulnerabilities is below:

  • An XXE vulnerability was found in the application SAP BW. By exploiting this vulnerability, an internal or external attacker can get the access to any file located in the SAP server file system. With the help of this access it is possible to obtain the sensitive technical and business-related information stored in the vulnerable SAP system. The update is available in SAP Security Note 1597066. The criticality, according to CVSS, is 4.0.
  • An Information Disclosure vulnerability was found in the application SAP NetWeaver. By exploiting this vulnerability, an internal or external attacker can access any file located in the SAP server file system. With the help of this access it is possible to obtain the sensitive technical and business-related information stored in the vulnerable SAP system. The update is available in SAP Security Note 1675605. The criticality, according to CVSS, is 4.0.
  • An XSS vulnerability was found in SAP NetWeaver. An attacker can use the XSS vulnerability by sending a link with a malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can get the access to the user session and gain control over the business-critical information which can be accessed by a victim. The update is available in SAP Security Note 1614834. The criticality, according to CVSS, is 4.3.
  • An XSS vulnerability was found in SAP Mobile. An attacker can use the XSS vulnerability by sending a link with a malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can get access to the user session and gain the control over the business-critical information which can be accessed by a victim. The pdate is available in SAP Security Note 1590866. The criticality, according to CVSS, is 4.3.

SAP traditionally published acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.

Advisories for those issues with technical details will be available within 3 months on ERPScan.com

Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.

Do you want more?

Subscribe me to your mailing list