SAP released monthly critical patch update for October 2011. This patch update closes many vulnerabilities in SAP products. 6 of those vulnerabilities were found by different experts. Traditionally Dmitry Evdokimov , ERPScan Team researcher, is among them.
SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
Detailed list of corrected vulnerabilities is below :
- XSS vulnerability. Update is available in SAP Security Note 1585652. Criticality according to CVSS is 4.3. An attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by a victim.
It is highly recommended to patch all those issues to prevent business risks. Solutions for those issues are available in SAP Security Notes: 1585652 Advisories for those issues with technical details will be available in 3 months on erpscan.com Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.