SAP patches three-year-old vulnerability, plus 20 more flaws
SAP this week patched nearly two dozen vulnerabilities, the most dangerous of which was a code injection vulnerability found in SAP Documentation and Translation Tools.
The information disclosure vulnerability existed in SAP's BI (Business Intelligence) Reporting and Planning process. If exploited, the issue could have allowed attackers to uncover system data and debugging information, and leverage this digital intelligence for future attacks.
The 21 total vulnerabilities, four of which were critical, were categorized as follows: five cross-site scripting, five missing authorization, four implementation flaws, two denial of service (DOS), two directory traversals, one code injection, one XML external entity, one information disclosure.
The most critical case was the code injection vulnerability, which was found in SAP Documentation and Translation Tools. The flaw could have allowed bad actors to inject and execute malicious code capable of manipulating data, modifying system output, elevating privileges and even performing DoS attacks.