Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Missing authorization check for SPP alert deletion, SAP security note 1491435

Description

A malicious user can exploit the deletion of such alerts which belong to the SPP application and use specially crafted inputs to execute arbitrary database commands to retrieve, or remove data persisted by the system.

Available fix and Supported packages

  • SCM | 500 | 500
  • SCM | 510 | 510
  • SCM | 700 | 700
  • SCM | 701 | 701
  • SCM_BASIS | 500 | 500
  • SCM_BASIS | 510 | 510
  • SCM_BASIS | 700 | 700
  • SCM_BASIS | 701 | 701
  • SCM 701 | SAPKY70102 |
  • SCM 500 | SAPKY50019 |
  • SCM 510 | SAPKY51015 |
  • SCM 700 | SAPKY70009 |
  • SCM_BASIS 701 | SAPK-70102INSCMBASIS |
  • SCM_BASIS 500 | SAPK-50019INSCMBASIS |
  • SCM_BASIS 510 | SAPK-51018INSCMBASIS |
  • SCM_BASIS 700 | SAPK-70009INSCMBASIS |

Affected component

    SCM-APO-SPP-SHA
    Shortage Analysis

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1491435

TAGS

#SQL-injection
#database
#SPP-Alert-Monitor
#deletion

More to explorer