Security Advisories

The Onapsis Research Labs delivers regular SAP® and Oracle® vulnerability research to our ecosystem of customers, partners and the information security industry.

Onapsis security advisories enable customers to better understand the security and business implications of discovered SAP and Oracle security issues. This enables organizations to prioritize patches, updates and their remediation strategies to ensure continuity of the business. Onapsis security advisories, together with vendor patches and security notes, are available for download to provide vendors and end-users with the necessary information to mitigate advanced threats to mission-critical applications running on SAP and Oracle.

Critical
SAP
06/14/2021
Missing authorization check in SAP Solution Manager
Due to a missing authorization check in SAP Solution Manager LM-SERVICE component a remote authenticated attacker could be able to execute privileged actions in the affected system, including the…
Critical
SAP
06/14/2021
SAP Manufacturing Integration & Intelligence Lack of Server Side Validations
By abusing a Code Injection in SAP MII, an authenticated user with SAP XMII Developer privileges could execute code (including OS commands) on the server.
High
SAP
06/14/2021
Missing Authorization Check in SAP SolMan Experience Monitoring
Any authenticated user of the Solution Manager is able to craft/ upload and execute EEM scripts on the SMDAgents affecting its Integrity, Confidentiality and Availability.
Low
SAP
06/14/2021
SAP Solution Manager Open Redirect from Trace Analysis
Under certain circumstances, an attacker might be able to steal a cookie from the application. It may impact the confidentiality of the service.
Critical
SAP
03/19/2021
Unauthenticated RCE in SAP SMD Agents through SAP SolMan
A malicious unauthenticated user could abuse the lack of authentication check on SAP Solution Manager User-Experience Monitoring web service, allowing them to remotely execute commands in all hosts…
Critical
SAP
03/19/2021
SAP Java OS Remote Code Execution
A malicious authenticated attacker could abuse some particular services exposed by the SAP JAVA Netweaver allowing them to execute commands in the underlying operating system.
High
SAP
03/19/2021
[SAP RECON] SAP JAVA: Unauthenticated execution of configuration tasks
A malicious unauthenticated user could abuse the lack of authentication check on a particular web service exposed by default in SAP Netweaver JAVA stack, allowing them to fully compromise the…
High
03/19/2021
SAP Multiple root LPE through SAP Host Control
A malicious authenticated attacker, with privileges of SAP SMD Agent access, could abuse some SAP Host Control functions' lack of sanitization, in order to escalate its privileges and execute…
Low
SAP
07/29/2019
SAP SDLREG Fixed Key for Encryption
Please fill in the following form in order to download the selected Onapsis' resource. The system will send you a download link to your email.
High
Oracle
07/18/2018
Multiple Oracle E-Business Suite Open Redirection
By exploiting this vulnerability, a remote attacker could steal sensitive business information by redirecting users to a malicious site.
High
Oracle
07/18/2018
Multiple Oracle E-Business Suite Cross-Site Scripting (XSS)
By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users connected to the system.
High
SAP
06/14/2018
SAP Code Injection
By exploiting this vulnerability, a remote attacker could access and modify any business information.