CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



SAP Patches Critical Code Injection, XSS Vulnerabilities

SAP on Tuesday released a series of updates for its products, patching a total of 21 vulnerabilities, including four critical flaws, of which one was rated “Hot News.”

SAP on Tuesday released a series of updates for its products, patching a total of 21 vulnerabilities, including four critical flaws, of which one was rated “Hot News.”

The company included 13 security notes in its SAP Security Patch Day – June 2016, to which it added 2 updates to previously released Patch Day Security Notes. Alongside these 15 bugs, SAP released 6 Support Package Notes, ERPScan, a company that specializes in securing SAP and Oracle business-critical software, says.

According to SAP, one of the 15 resolved issues was rated ‘Hot News’, three were High severity, 10 Medium, and one Low. 4 of the vulnerabilities were Cross-Site Scripting (XSS), 3 were missing authorization check, 2 denial of service (DoS), 1 information disclosure, 1 code injection, and 4 other bugs.

The Hot News flaw is the Code injection vulnerability in SAP Documentation and Translation Tools, which has a CVSS Base Score of 9.1. Depending on the injected code, an attacker can exploit it to run code, obtain additional information that should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, potentially escalate privileges by executing malicious code, and even to perform a DoS attack.

Of the three High risk issues, one is an XSS in SAP DesignStudio SFIN, with a CVSS Base Score of 8.8, while another is an XML external entity vulnerability in SAP Web-Survey, with a CVSS Base Score of 7.5 (it could allow an attacker to get unauthorized access to OS filesystem). SAP also resolved an XSS in SAP ecattping, with a CVSS Base Score or 6.1.

According to ERPScan, its researchers discovered four of the vulnerabilities that SAP patched in the June 2016 security notes. One of these, an Information Disclosure vulnerability in BI Reporting and Planning of the Business Warehouse (BW) component, was reported to SAP on April 20, 2013, but the company needed more than three years to resolve it.

The issue carries a CVSS v3 Base Score 5.3/10 and can be exploited by an attacker to reveal additional information (system data, debugging information, etc) which would help them learn about a system and plan further attacks. Given that BI Reporting and Planning was designed to transform and consolidate business information from virtually any source system, this unpatched vulnerability can put companies at serious risks.

ERPScan also explains that not all companies apply patches as soon as they are released, and that some issues remain unpatched for years after SAP releases the necessary security fixes. One recent example is the Invoker Servlet case, which was patched by SAP in 2010, and which exists in the built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). Researchers recently revealed that up to 36 global organizations were hacked by attackers exploiting this flaw.

Advertisement. Scroll to continue reading.

Other issues that SAP resolved with the help of ERPScan researchers include the XSS vulnerability in SAP ecattping, a Denial of service vulnerability in SAP Sybase SQL Anywhere MobiLink Synchronization Server (with a CVSS Base Score of 4.9), and a Directory traversal vulnerability in SAP Data Services (with a CVSS Base Score of 2.7).

The SAP NetWevwer ABAP platform, which is the backend platform for most of the common business applications such as ERP, CRM, SRM, and PLM, was affected by the largest number of vulnerabilities. As usual, companies using any of the affected products are advised to apply security patches as soon as possible, to ensure that they prevent business risks affecting SAP systems.

Last month SAP resolved a Hot News flaw in ASE XPServer, along with 9 other vulnerabilities in products such as Crystal Reports for Enterprise, and Predictive Analytics, or SAP NetWevwer ABAP platform. In April, the company patched 19 flaws in its products, 10 of which had a high priority rating, while patching 28 vulnerabilities in March.


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.