sap [Article] Vulnerabilities in SAP Products Could compromise systems and it's data

[Jimi Wikman]

Multiple vulnerabilities have been reported in SAP products where things like cross-site scripting (xss) and server side request forgery open up access points through which a hacker can compromise the systems and it's data. These vulnerabilities have been patched in SAP Security Patch Day – July 2020 and it is strongly advised to make that update as soon as possible.

Quote

Multiple vulnerabilities have been discovered in SAP products, the most severe of which could allow an unauthenticated, remote attacker to execute code on the affected systems. SAP is a company that creates software to manage business operations and customer relations. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to execute code on the affected systems. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Applications configured to have fewer restrictions on the system could be less impacted than those who operate with elevated privileges.

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-sap-products-could-allow-for-arbitrary-code-execution_2020-093/

SYSTEMS AFFECTED:

• Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard) (CVE-2020-6286).
• Security updates for the browser control Google Chromium delivered with SAP Business Client
• Information Disclosure in SAP NetWeaver (XMLToolkit for Java) (CVE-2020-6285).
• Multiple vulnerabilities in SAP Disclosure Management (CVE-2020-6267).
• Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(BI Launch pad) (CVE-2020-6281).
• Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Bipodata) (CVE-2020-6276).
• Server-Side Request Forgery in SAP NetWeaver AS JAVA (IIOP service) (CVE-2020-6282).
• Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC) (CVE-2020-6278).
• Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) (CVE-2020-6222).
• Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform (CVE-2020-6280).

View full blog article