The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of SAP: multiple vulnerabilities for February 2014

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of SAP.
Vulnerable products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity of this weakness: 2/4.
Number of vulnerabilities in this bulletin: 10.
Creation date: 14/02/2014.
Références of this bulletin: 1716640, 1769611, 1771706, 1777988, 1781171, 1833327, 1911319, 1913388, 1915908, 1942332, VIGILANCE-VUL-14262.

Description of the vulnerability 

Several vulnerabilities were publicly announced this month by SAP.

An attacker can traverse directories in HFILTAX0_FORMS0_ALV, in order to read a file outside the root path. [severity:2/4; 1913388]

An attacker can traverse directories in HFISTWC0_FORMS, in order to read a file outside the root path. [severity:2/4; 1777988]

An attacker can traverse directories in HFIUTMS0, in order to read a file outside the root path. [severity:2/4; 1771706]

An attacker can traverse directories in HFISTBC0_SUBR, in order to read a file outside the root path. [severity:2/4; 1769611]

An attacker can trigger a Cross Site Scripting in Business Planning and Consolidation, in order to execute JavaScript code in the context of the web site. [severity:2/4; 1942332]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1911319]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1716640]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1915908]

An attacker can invite the victim to click in WebDynpro Java, in order to perform operations. [severity:1/4; 1781171]

An attacker can use a SQL injection in LSZRSF03, in order to read or alter data. [severity:2/4; 1833327]

Other vulnerabilities may have been announced this month, but they are private. SAP has to be contacted to obtain the full list.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.

Our Vigil@nce team determined that the severity of this threat note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 10 vulnerabilities.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat 

SAP: Security Notes of February 2014.
Several Security Notes were publicly announced this month by SAP. They are located in information sources.
Other Security Notes may have been announced this month, but they are private. SAP has to be contacted to obtain the full list.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides applications vulnerabilities alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities.