Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Potential disclosure of DB data in CL_BBP_PERSIST_EVENT_CONT, SAP security note 1478978

Description

A malicious user can exploit CL_BBP_PERSIST_EVENT_CONT and use specially crafted inputs to execute arbitrary database commands to retrieve, modify, or remove data persisted by the system.
The dynamic ‘where’-clause can be manipulated by the attacker to insert malicious code.
Affected Releases: SRM_SERVER 7.01; 7.0; 5.5; 5.0

Available fix and Supported packages

  • SRM_SERVER | 550 | 550
  • SRM_SERVER | 700 | 700
  • SRM_SERVER | 701 | 701
  • SRM_SERVER 550 | SAPKIBKT17 |
  • SRM_SERVER 701 | SAPK-70102INSRMSRV |
  • SRM_SERVER 700 | SAPKIBKV09 |
  • SRM_SERVER 550 | SAPKIBKT18 |

Affected component

    SRM-EBP-ALR
    Events and Alert Management

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1478978

TAGS

#SRM
#Supplier-Relationship-Management
#procurement
#E-Commerce
#Web
#business-to-business
#SAP-Business-to-Business-Procurement
#BBP
#business-to-business
#e-business
#Ebusiness
#Internet
#EBP
#EnterpriseBuyer
#Enterprise-Buyer-professional-edition
#SRM_SERVER
#security-vulnerability
#SQL-injection-vulnerability
#unsecure-database-access
#CL_BBP_PERSIST_EVENT_CONT

More to explorer