SAP on June 14 patched 21 product vulnerabilities, including an information disclosure flaw that was originally disclosed more than three years ago.

The information disclosure vulnerability existed in SAP's BI (Business Intelligence) Reporting and Planning process. If exploited, the issue could have allowed attackers to uncover system data and debugging information, and leverage this digital intelligence for future attacks.

The 21 total vulnerabilities, four of which were critical, were categorized as follows: five cross-site scripting, five missing authorization, four implementation flaws, two denial of service (DOS), two directory traversals, one code injection, one XML external entity, one information disclosure.

The most critical case was the code injection vulnerability, which was found in SAP Documentation and Translation Tools. The flaw could have allowed bad actors to inject and execute malicious code capable of manipulating data, modifying system output, elevating privileges and even performing DoS attacks.