Multiple Vulnerabilities in SAP Products
Original Issue Date: September 30, 2020
Severity Rating: High
- SAP Solution Manager (User Experience Monitoring), Version - 7.2
- SAP Marketing: Versions 130, 140, 150
- SAP NetWeaver: Versions 7.0, 7.01, 7.02, 7.03, 7.1, 7.2, 7.3, 7.4, 7.4, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
- SAP Abap Platform: Versions 7.0, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.74, and 7.75
- SAP Commerce: Versions 6.7, 1808, 1811, 1905, 2005
- SAP NetWeaver AS ABAP (BSP Test Application), Versions - 700,701,702,730,731,740,750,751,752,753,754,755
- SAP Business Objects Business Intelligence suite: Versions 4.1, 4.2
- SAP 3D Visual Enterprise Viewer, Version 9
- SAP Business Objects Business Intelligence Platform (BI Workspace), Versions - 4.1, 4.2
- SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50
- SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE); Versions -7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
- BANKING SERVICES FROM SAP 9.0 (Bank Analyzer), Version 500
- S/4HANA FIN PROD SUBLDGR, Version - 100
- SAPUI5 (SAP_UI); Versions - 750, 751, 752, 753, 754, 755
- SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS); Versions -7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
- SAP Adaptive Server Enterprise: Versions 15.7, 16.0
- SAP Fiori Launchpad: Versions 750, 752, 753, 754, 755
Multiple Vulnerabilities have been reported in SAP Products, which could be exploited by a remote attacker to perform Cross Site Scripting attack, improper access control, session fixation, improper input validation, gain escalation of privilege, inject code, cause denial of service, perform unrestricted file upload and obtain sensitive information on the targeted system.
These Vulnerabilities exist in SAP Products due to improper access restrictions in Mobile Channel Servlet, insufficient sanitization of user-supplied data, improper session management mechanism, various boundary errors, inadequate filtering with the accessing user's privileges, insufficient authentication /authorization checks, and manipulation with an unknown input.
A remote attacker could exploit these vulnerabilities by injecting arbitrary web script, tricking the victim to follow a specially crafted link and execute arbitrary HTML code in user's browser in context of vulnerable website.
Successful exploitation of these vulnerabilities could allow attacker to perform Cross Site Scripting attack, improper access control, session fixation, improper input validation, gain escalation of privilege, inject code, cause denial of service, perform unrestricted file upload and obtain sensitive information on the targeted system. This may further result in complete compromise of confidentiality, integrity and availability of the targeted system.
Apply appropriate patches as mentioned on SAP website:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003