SAP^® and Oracle^® Security Advisories

Insufficient Authorization Checks on RFC Enabled Function Module F4_DXFILENAME_TOPRECURSION Impact on Business A remote attacker can read all filenames of arbitrary directories from the file system of the application server. This has a low impact on the confidentiality of the system and its business applications. Vulnerability Details Remote-enabled function module F4_DXFILENAME_TOPRECURSION allows non-administrative authenticated users to read filenames…

Reflected Cross Site Scripting in “bsp_vhelp” BSP Application Impact on Business By exploiting this vulnerability a remote attacker could trick users into clicking malicious links and depending on the level of protection that the browser provides, the attacker could potentially steal their user sessions or other information. Vulnerability Details Due to insufficient input sanitization, SAP…

Arbitrary execution of RFC functions through SHDB_TOOLS_RFC_WRAPPER Impact on Business By exploiting this vulnerability a remote attacker could trick users into accessing specially crafted URL(s) that could trigger certain actions on the SAP System by triggering specific events. Vulnerability Details Due to the unrestricted scope of the RFC function module(SHDB_TOOLS_RFC_WRAPPER), SAP BASIS – versions 731,…

Cross-Site Scripting XSS vulnerability in SAP NetWeaver AS ABAP Impact On Business Impact depends on the victim’s privileges. In worst cases, a successful attack allows an attacker to hijack a session, or force the victim to perform undesired requests in the SAP system. Affected Components Description The SAP Host Agent can accomplish several life-cycle tasks…

Denial of Service in SAP NetWeaver AS ABAP Impact on Business A remote attacker can block all work processes of an SAP System running on SAP NetWeaver AS ABAP. This has a very high negative impact on the availability of the system and its business applications. Vulnerability Details The remote-enabled function module SPI_WAIT_MILLIS blocks a…