SAP patches three-year-old vulnerability, plus 20 more flaws

SAP this week patched nearly two dozen vulnerabilities, the most dangerous of which was a code injection vulnerability found in SAP Documentation and Translation Tools.
SAP this week patched nearly two dozen vulnerabilities, the most dangerous of which was a code injection vulnerability found in SAP Documentation and Translation Tools.

SAP on June 14 patched 21 product vulnerabilities, including an information disclosure flaw that was originally disclosed more than three years ago.

The information disclosure vulnerability existed in SAP's BI (Business Intelligence) Reporting and Planning process. If exploited, the issue could have allowed attackers to uncover system data and debugging information, and leverage this digital intelligence for future attacks.

The 21 total vulnerabilities, four of which were critical, were categorized as follows: five cross-site scripting, five missing authorization, four implementation flaws, two denial of service (DOS), two directory traversals, one code injection, one XML external entity, one information disclosure.

The most critical case was the code injection vulnerability, which was found in SAP Documentation and Translation Tools. The flaw could have allowed bad actors to inject and execute malicious code capable of manipulating data, modifying system output, elevating privileges and even performing DoS attacks.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS