SAP® and Oracle® Security Advisories
Onapsis Research Labs is the world’s leading team of security experts who combine their deep knowledge of critical ERP applications and decades of threat research experience to deliver impactful security insights and threat intelligence focused on the business-critical applications from SAP, Oracle, and SaaS providers. Onapsis Research Labs is, far and away, the most prolific and most celebrated contributor of vulnerability research by the SAP Product Security Response Team. No other research team comes close.
09/18/2024
Directory Traversal in SAP NetWeaver Application Server (AS) for ABAP and ABAP Platform
Directory Traversal in SAP NetWeaver Application Server (AS) for ABAP and ABAP Platform Impact On Business An authenticated attacker with low privileges can leverage a directory traversal flaw to overwrite a file which is otherwise restricted. On successful exploitation an attacker can compromise the availability and integrity of the system. Affected Components Description SAP NetWeaver…
09/18/2024
Directory Traversal vulnerability in SAP NetWeaver (BI_CONT Add-On)
Directory Traversal vulnerability in SAP NetWeaver (BI_CONT Add-On) Impact On Business An authenticated attacker with high privileges can leverage a directory traversal flaw to overwrite a file which is otherwise restricted. On successful exploitation an attacker can compromise the availability and integrity of the system. Affected Components Description SAP NetWeaver AS for ABAP and ABAP…
09/18/2024
Multiple Reflected Cross Site Scripting vulnerabilities in SBSPEXT_PHTMLB package
Multiple Reflected Cross Site Scripting vulnerabilities in SBSPEXT_PHTMLB package Impact On Business By exploiting any of these vulnerabilities a remote attacker could trick users into clicking malicious links and depending on the level of protection that the browser provides, the attacker could potentially steal user sessions or other information. Affected Components Description SAP_BASIS 700 SP…
03/19/2021
[SAP RECON] SAP JAVA: Unauthenticated execution of configuration tasks
Impact On Business A malicious unauthenticated user could abuse the lack of authentication check on a particular web service exposed by default in SAP Netweaver JAVA stack, allowing them to fully compromise the targeted system. Affected Components Description LM CONFIGURATION WIZARD is a part of SAP NetWeaver JAVA which is a foundational layer used by…
06/14/2018
SAP SCI Information Disclosure HTTP
By exploiting this vulnerability, a remote unauthenticated attacker may discover security vulnerabilities affecting the system, potentially being able to leverage them in a second step. Please fill out the form to download the security advisory.
06/14/2018
SAP Code Injection
By exploiting this vulnerability, a remote attacker could access and modify any business information. Please fill out the form to download the security advisory.
06/14/2018
SAP SCI Missing Authorization Check
By exploiting this vulnerability, a remote unauthenticated attacker may discover security vulnerabilities affecting the system, potentially being able to leverage them in a second step. Please fill out the form to download the security advisory.
02/09/2018
SAP Information Disclosure
By exploiting this vulnerability, a remote unauthenticated attacker could get information about the system architecture. Please fill out the form to download the security advisory.
02/09/2018
SAP Java CSV Injection
By exploiting this vulnerability, an unauthenticated attacker could inject malicious code in the back-office application to get or modify information systems. Please fill out the form to download the security advisory.