The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SAP Crystal Enterprise

vulnerability alert CVE-2014-8659 CVE-2014-8660 CVE-2014-8661

SAP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 11.
Creation date: 14/10/2014.
Identifiers: CVE-2014-8659, CVE-2014-8660, CVE-2014-8661, CVE-2014-8662, CVE-2014-8663, CVE-2014-8664, CVE-2014-8665, CVE-2014-8666, CVE-2014-8667, CVE-2014-8668, CVE-2014-8669, DOC-8218, VIGILANCE-VUL-15471.

Description of the vulnerability

Several vulnerabilities were announced in SAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 14732

SAP: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/05/2014.
Revision date: 19/05/2014.
Identifiers: 1979438, DOC-8218, VIGILANCE-VUL-14732.

Description of the vulnerability

The SAP product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-3129

SAP Software Lifeclycle Manager: information disclosure

Synthesis of the vulnerability

An attacker can use SAP Software Lifeclycle Manager, in order to obtain sensitive information.
Impacted products: Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 14/01/2014.
Revision date: 29/04/2014.
Identifiers: 1894049, CVE-2014-3129, DOC-8218, ONAPSIS-2014-005, VIGILANCE-VUL-14067.

Description of the vulnerability

The SAP Software Lifeclycle Manager product offers a web service.

However, an attacker can use HTTP queries to bypass access restrictions to data.

An attacker can therefore use SAP Software Lifeclycle Manager, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-2751

SAP Print and Output: privilege escalation

Synthesis of the vulnerability

An attacker can access to a user of SAP Print and Output, in order to escalate his privileges or to obtain sensitive information.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Consequences: privileged access/rights, data reading.
Provenance: user account.
Creation date: 10/12/2013.
Revision date: 14/03/2014.
Identifiers: 1911523, CVE-2014-2751, DOC-8218, ONAPSIS-2014-004, VIGILANCE-VUL-13915.

Description of the vulnerability

The SAP Print and Output product manage the display of documents.

However, it uses an hardcoded username.

An attacker can therefore access to a user of SAP Print and Output, in order to escalate his privileges or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 14262

SAP: multiple vulnerabilities for February 2014

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 14/02/2014.
Identifiers: 1716640, 1769611, 1771706, 1777988, 1781171, 1833327, 1911319, 1913388, 1915908, 1942332, VIGILANCE-VUL-14262.

Description of the vulnerability

Several vulnerabilities were publicly announced this month by SAP.

An attacker can traverse directories in HFILTAX0_FORMS0_ALV, in order to read a file outside the root path. [severity:2/4; 1913388]

An attacker can traverse directories in HFISTWC0_FORMS, in order to read a file outside the root path. [severity:2/4; 1777988]

An attacker can traverse directories in HFIUTMS0, in order to read a file outside the root path. [severity:2/4; 1771706]

An attacker can traverse directories in HFISTBC0_SUBR, in order to read a file outside the root path. [severity:2/4; 1769611]

An attacker can trigger a Cross Site Scripting in Business Planning and Consolidation, in order to execute JavaScript code in the context of the web site. [severity:2/4; 1942332]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1911319]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1716640]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1915908]

An attacker can invite the victim to click in WebDynpro Java, in order to perform operations. [severity:1/4; 1781171]

An attacker can use a SQL injection in LSZRSF03, in order to read or alter data. [severity:2/4; 1833327]

Other vulnerabilities may have been announced this month, but they are private. SAP has to be contacted to obtain the full list.
Full Vigil@nce bulletin... (Free trial)

vulnerability 14260

SAP: code execution via CTC

Synthesis of the vulnerability

An attacker can use the CTC servlet of SAP, in order to execute code.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 14/02/2014.
Identifiers: 1963100, VIGILANCE-VUL-14260.

Description of the vulnerability

An attacker can use the CTC servlet of SAP, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-7359

SAP: vulnerability 1789611

Synthesis of the vulnerability

An unknown vulnerability was announced in SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 12/03/2013.
Identifiers: 1789611, CVE-2013-7359, DOC-8218, ONAPSIS-2013-009, VIGILANCE-VUL-12507.

Description of the vulnerability

An unknown vulnerability was announced in SAP products.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 12505

SAP: vulnerability 1806435

Synthesis of the vulnerability

An unknown vulnerability was announced in SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 12/03/2013.
Identifiers: 1806435, DOC-8218, VIGILANCE-VUL-12505.

Description of the vulnerability

An unknown vulnerability was announced in SAP products.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 12504

SAP: vulnerability 1786822

Synthesis of the vulnerability

An unknown vulnerability was announced in SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 12/03/2013.
Identifiers: 1786822, DOC-8218, VIGILANCE-VUL-12504.

Description of the vulnerability

An unknown vulnerability was announced in SAP products.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 12503

SAP: vulnerability 1789823

Synthesis of the vulnerability

An unknown vulnerability was announced in SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 12/03/2013.
Identifiers: 1789823, 1813734, DOC-8218, VIGILANCE-VUL-12503.

Description of the vulnerability

An unknown vulnerability was announced in SAP products.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.