SAP released its monthly critical patch update for October 2011 which closes many vulnerabilities in SAP products. 6 of those vulnerabilities were found by different experts. Dmitry Evdokimov , ERPScan Team researcher, is among them as usual.
SAP traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
The detailed list of corrected vulnerabilities is below :
- XSS vulnerability. The update is available in SAP Security Note 1585652. The criticality according to CVSS is 4.3. An attacker can use XSS vulnerability by sending a link on a malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain the access to the user session and gain the control on the business-critical information which can be accessed by a victim.
It is highly recommended to patch all those issues to prevent business risks. Solutions for those issues are available in SAP Security Notes: 1585652 Advisories for those issues with technical details will be available in 3 months on erpscan.com Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.