[FD] File Upload in Integration Gateway (PSIGW)

1. ADVISORY INFORMATION Title: File Upload in Integration Gateway (PSIGW) Advisory ID: [ERPSCAN-17-039] Advisory URL: https://erpscan.com/advisories/erpscan-17-039-file-upload-integration-gateway-psigw-peoplesoft/ Risk: High Date published: 18.07.2017 Vendor contacted: Oracle 2. VULNERABILITY IN

[FD] Directory Traversal vulnerability in Integration Gateway (PSIGW)

1. ADVISORY INFORMATION Title: Directory Traversal vulnerability in Integration Gateway (PSIGW) Advisory ID: [ERPSCAN-17-038] Advisory URL: https://erpscan.com/advisories/erpscan-17-038-directory-traversal-vulnerability-integration-gateway-psigw/ Risk: High Date published: 18.07.2017 Vendor conta

[FD] Multiple XSS (POST request) Vulnerabilities in TestServlet (PeopleSoft)

1. ADVISORY INFORMATION Title: Multiple XSS (POST request) Vulnerabilities in TestServlet (PeopleSoft) Advisory ID: [ERPSCAN-17-037] Advisory URL: https://erpscan.com/advisories/erpscan-17-037-multiple-xss-vulnerabilities-testservlet-peoplesoft/ Risk: Medium Date published: 18.07.2017 Vendor cont

[FD] [ERPSCAN-17-022] SSRF in PeopleSoft IMServlet

Application: Oracle PeopleSoft Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2 Vendor URL: http://oracle.com Bugs: SSRF Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Roman Shalymov (ER

[FD] [ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT

Application: Oracle E-Business Suite Versions Affected: Oracle EBS 12.2.3 Vendor URL: http://oracle.com Bug: SQL injection Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Dmitry Chastuhin (ERPScan) Description 1. ADVISO

[FD] [ERPSCAN-17-020] XXE VIA DOCTYPE in PeopleSoft PeopleSoftServiceListeningConnector

Application: Oracle PeopleSoft Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55 Vendor URL: http://oracle.com Bug: XXE Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Nadya Krivdyuk (ERPScan) Description 1. AD

[FD] [ERPSCAN-16-041] SAP NETWEAVER DIRECTORY CREATION OUTSIDE OF THE JVM

Application: SAP NetWeaver Versions Affected: SAP NetWeaver AS JAVA UMEADMIN component Vendor URL: http://SAP.com Bugs: Directory traversal Reported: 04.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 13.12.2016 Reference: SAP Security Note 2310790 Author: Mathieu Geli (ERPScan) Desc

[FD] CVE-2017-3241 - [ERPSCAN-17-006] Oracle OpenJDK - Java Serialization DoS

Application: Java SE Vendor: Oracle Bug: DoS Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 17.01.2017 Reference: Oracle CPU Jan 2017 Author: Roman Shalymov 1. ADVISORY INFORMATION Title: Oracle OpenJDK - Java Serialization DoS Advisory ID: [ERPSCAN-17-006] R

[FD] [ERPSCAN-17-005] Oracle PeopleSoft - XSS vulnerability CVE-2017-3300

Application: Oracle PeopleSoft Vendor: Oracle Bugs: XXS Reported: 31.10.2016 Vendor response: 1.11.2016 Date of Public Advisory: 17.01.2017 Reference: Oracle CPU Jan 2017 Authors: Vahagn Vardanyan, Dmitry Yudin 1. ADVISORY INFORMATION Title: Oracle PeopleSoft – XSS vulnerability Advisor

[FD] [ERPSCAN-16-037] SAP NetWeaver AS JAVA P4 - INFORMATION DISCLOSURE

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.11-7.4 Vendor URL: http://SAP.com Bugs: Information disclosure Sent: 10.03.2016 Reported: 11.03.2016 Vendor response: 11.03.2016 Date of Public Advisory: 12.10.2016 Reference: SAP Security Note 2331908 Author:

[FD] [ERPSCAN-16-036] SAP ASE ODATA SERVER - DENIAL OF SERVICE

Application: SAP ASE Versions Affected: SAP ASE ODATA Server v16 Vendor URL: http://SAP.com Bugs: Denial of Service Sent: 01.02.2016 Reported: 02.02.2016 Vendor response: 02.02.2016 Date of Public Advisory: 12.10.2016 Reference: SAP Security Note 2330422 Author: Vahagn @vah_13 Vardanyan (E

[FD] [ERPSCAN-16-035] SAP Solman - user accounts disclosure

Application: SAP Solman Versions Affected: SAP Solman 7.1-7.31 Vendor URL: http://SAP.com Bugs: Information Disclosure Sent: 12.07.2016 Reported: 13.07.2016 Vendor response: 13.07.2016 Date of Public Advisory: 13.09.2016 Reference: SAP Security Note 2344524 Author: Roman Bezhan (ERPScan)

[FD] [ERPSCAN-16-034] SAP NetWeaver AS JAVA - XXE vulnerability in BC-BMT-BPM-DSK component

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.4 Vendor URL: http://SAP.com Bug: XXE Sent: 09.03.2016 Reported: 10.03.2016 Vendor response: 10.03.2016 Date of Public Advisory: 09.08.2016 Reference: SAP Security Note 2296909 Author: Vahagn Vardanyan (ERPScan)

[FD] [ERPSCAN-16-033] SAP NetWeaver AS JAVA icman - DoS vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.4 Vendor URL: http://SAP.com Bug: Denial of Service Sent: 22.04.2016 Reported: 23.04.2016 Vendor response: 23.04.2016 Date of Public Advisory: 09.08.2016 Reference: SAP Security Note 2313835 Author: Vahagn Varda

[FD] [ERPSCAN-16-032] SAP Telnet Console – Directory traversal vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 to 7.5 Vendor URL: http://SAP.com Bugs: Directory traversal Sent: 04.12.2015 Reported: 05.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 09.08.2016 Reference: SAP Security Note 2280371 Author:

[FD] [ERPSCAN-16-031] SAP NetWeaver AS ABAP – directory traversal using READ DATASET

Application: SAP NetWeaver AS ABAP Versions Affected: SAP NetWeaver AS ABAP 7.4 Vendor URL: http://SAP.com Bugs: Directory traversal Sent: 22.04.2016 Reported: 23.04.2016 Vendor response: 23.04.2016 Date of Public Advisory: 09.08.2016 Reference: SAP Security Note 2312966 Author: Daria Pr

[FD] [ERPSCAN-16-030] SAP NetWeaver - buffer overflow vulnerability

Application: SAP NetWeaver KERNEL Versions Affected: SAP NetWeaver KERNEL 7.0-7.5 Vendor URL: http://SAP.com Bugs: Denial of Service Sent: 09.03.2016 Reported: 10.03.2016 Vendor response: 10.03.2016 Date of Public Advisory: 12.07.2016 Reference: SAP Security Note 2295238 Author: Dmitry

[FD] [ERPSCAN-16-029] SAP NetWeaver AS JAVA - deserialization of untrusted user value

Application: SAP EP-RUNTIME component Versions Affected: SAP EP-RUNTIME 7.5 Vendor URL: http://SAP.com Bugs: Denial of Service Sent: 22.04.2016 Reported: 23.04.2016 Vendor response: 23.04.2016 Date of Public Advisory: 12.07.2016 Reference: SAP Security Note 2315788 Author: Mathieu Geli (

[FD] [ERPSCAN-16-028] SAP Adaptive Server Enterprise - DoS vulnerability

Application: SAP Adaptive Server Enterprise Versions Affected: SAP Adaptive Server Enterprise 16 Vendor URL: http://SAP.com Bugs: Denial of Service Sent: 01.02.2016 Reported: 02.02.2016 Vendor response: 02.02.2016 Date of Public Advisory: 12.07.2016 Reference: SAP Security Note 233083

[FD] [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability

Application: SAP xMII Versions Affected: SAP xMII 15 Vendor URL: http://SAP.com Bugs: XSS Sent: 04.12.2015 Reported: 05.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 12.04.2016 Reference: SAP Security Note 2201295 Author: Nursultan Abubakirov (ERPScan) , Vahagn Vardanyan

[FD] [ERPSCAN-16-020] SAP NetWeaver AS JAVA UDDI component - XXE vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.4 Vendor URL: http://SAP.com Bug: XXE Sent: 04.12.2015 Reported: 05.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 12.04.2016 Reference: SAP Security Note 2254389 Author: Vahagn Vardanyan (E

[FD] [ERPSCAN-16-019] SAP NetWeaver Enqueue Server - DoS vulnerability

Application: SAP NetWeaver Enqueue Server Versions Affected: SAP NetWeaver Enqueue Server 7.4 Vendor URL: http://SAP.com Bug: denial of service Sent: 04.12.2015 Reported: 05.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 12.04.2016 Reference: SAP Security Note 225878

[FD] [ERPSCAN-16-018] SAP Application server for Javat - DoS vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP Application server for Java 7.2 - 7.4 Vendor URL: http://SAP.com Bugs: denial of service Sent:04.12.2015 Reported: 05.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 14.03.2016 Reference: SAP Security Note 2259547

[FD] [ERPSCAN-16-017] SAP JAVA AS icman - DoS vulnerability

Application:SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.2 - 7.4 Vendor URL: http://SAP.com Bugs: denial of service Sent: 04.12.2015 Reported: 05.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 14.03.2016 Reference: SAP Security Note 2256185 Autho

[FD] [ERPSCAN-16-015] SAP NetWeaver Java AS - multiple XSS vulnerabilities

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bugs: XSS Sent: 29.09.2015 Reported: 30.09.2015 Vendor response: 30.09.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2238765 Author: Vahagn Vardanyan

[FD] [ERPSCAN-16-016] SAP NetWeaver Java AS WD_CHAT - Information disclosure vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bug: information disclosure Sent: 04.12.2015 Reported: 05.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2255990 Author:

[FD] [ERPSCAN-16-014] SAP NetWeaver AS Java NavigationURLTester - XSS vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bug: XSS Sent: 20.10.2015 Reported: 21.10.2015 Vendor response: 21.10.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2238375 Author: Vahagn Vardanyan

[FD] [ERPSCAN-16-013] SAP NetWeaver AS Java ctcprotocol servlet - XXE vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bug: XXE Sent: 20.10.2015 Reported: 21.10.2015 Vendor response: 21.10.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2235994 Author: Vahagn Vardanyan

[FD] [ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bug: Directory traversal Sent: 29.09.2015 Reported: 29.09.2015 Vendor response: 30.09.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2234971 Author:

[FD] [ERPSCAN-16-011] SAP NetWeaver AS JAVA – SQL injection vulnerability

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL:http://SAP.com Bugs:SQL injection Send: 04.12.2015 Reported: 04.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 09.02.2016 Reference: SAP Security Note 2101079

[FD] [ERPSCAN-16-010] SAP NetWeaver AS JAVA – information disclosure vulnerability

Application:SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bugs: information disclosure Sent: 15.09.2015 Reported: 15.09.2015 Vendor response: 16.09.2015 Date of Public Advisory: 09.02.2016 Reference: SAP Security Note 2256846 Author

[FD] [ERPSCAN-16-009] SAP xMII - directory traversal vulnerability

Application: SAP xMII Versions Affected: SAP MII 15.0 Vendor URL: http://SAP.com Bugs: Directory traversal Sent: 29.07.2015 Reported: 29.07.2015 Vendor response: 30.07.2015 Date of Public Advisory: 09.02.2016 Reference: SAP Security Note 2230978 Author: Dmitry Chastuhin (ERPScan) Desc

[FD] [ERPSCAN-16-008] SAP NetWeaver AS JAVA - XSS vulnerability in ProxyServer servlet

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.4 Vendor URL: http://SAP.com Bugs: Cross Site Scripting (XSS) Sent: 10.08.2015 Reported: 10.08.2015 Vendor response: 11.08.2015 Date of Public Advisory: 09.02.2016 Reference: SAP Security Note 2220571 Author: Va

[FD] [ERPSCAN-16-005] SAP HANA hdbxsengine JSON – DoS vulnerability

Application: SAP HANA Versions Affected: SAP HANA Vendor URL: http://SAP.com Bugs: DoS Sent: 28.09.2015 Reported: 28.09.2015 Vendor response: 29.09.2015 Date of Public Advisory: 12.01.2016 Reference: SAP Security Note 2241978 Author: Mathieu Geli (ERPScan) Description 1. ADVISORY INFORMATION

[FD] [ERPSCAN-16-004] SAP NetWeaver 7.4 (Pmitest servlet) – XSS vulnerability

Application: SAP NetWeaver Versions Affected: SAP NetWeaver J2EE Engine 7.40 Vendor URL: http://SAP.com Bugs: Cross-Site Scripting Sent: 01.09.2015 Reported: 01.09.2015 Vendor response: 02.09.2015 Date of Public Advisory: 12.01.2016 Reference: SAP Security Note 2234918 Author: Vahagn Vardanyan (E

[FD] [ERPSCAN-16-003] SAP NetWeaver 7.4 - cryptographic issues

Application: SAP NetWeaver Versions Affected: SAP NetWeaver J2EE Engine 7.40 Vendor URL: http://SAP.com Bugs: cryptographic issues Sent: 01.09.2015 Reported: 01.09.2015 Vendor response: 02.09.2015 Date of Public Advisory: 12.01.2016 Reference: SAP Security Note 2191290 Author: Vahagn Vard

[FD] [ERPSCAN-16-002] SAP HANA - log injection and no size restriction

Application: SAP HANA Versions Affected: SAP HANA Vendor URL: http://SAP.com Bugs: Log injection Sent:28.09.2015 Reported: 28.09.2015 Vendor response: 29.09.2015 Date of Public Advisory: 12.01.2016 Reference: SAP Security Note 2241978 Author: Mathieu Geli (ERPScan) Description 1.

[FD] [ERPSCAN-16-001] SAP NetWeaver 7.4 - XSS vulnerability

Application:SAP NetWeaver Versions Affected: SAP NetWeaver J2EE Engine 7.40 Vendor URL: http://SAP.com Bugs: Cross-Site Scripting Sent: 01.09.2015 Vendor response: 02.09.2015 Date of Public Advisory: 12.01.2016 Reference: SAP Security Note 2206793 Author: Vahagn Vardanyan (ERPScan) Description

[FD] [ERPSCAN-15-032] SAP PCo agent – DoS vulnerability

Application: SAP PCo Versions Affected: SAP PCo 2.2, 2.3, 15.0, and 15.1 Vendor URL: http://SAP.com Bugs: DoS Send: 05.09.2015 Reported: 05.09.2015 Vendor response: 06.09.2015 Date of Public Advisory: 20.11.2015 Reference: SAP Security Note 2238619 Author: Mathieu Geli (ERPScan) Description 1.

[FD] [ERPSCAN-15-031] SAP MII – Encryption Downgrade vulnerability

Application:SAP MII Versions Affected: SAP MII 12.2, 14.0, 15.0 Vendor URL: http://SAP.com Bugs: Authentication bypass Send: 05.09.2015 Reported: 05.09.2015 Vendor response: 06.09.2015 Date of Pu

[FD] [ERPSCAN-15-024] SAP HANA hdbindexserver - Memory corruption

[ERPSCAN-15-024] SAP HANA hdbindexserver - Memory corruption Application: SAP HANA Versions Affected: SAP HANA 1.00.095 Vendor URL: http://SAP.com Bugs: Memory corruption, RCE Reported: 17.07.2015 Ven

[FD] ERPSCAN Research Advisory [ERPSCAN-15-022] SAP NetWeaver 7.4 - XSS

Application:SAP NetWeaver Versions Affected: SAP NetWeaver J2EE Engine 7.40 Vendor URL: http://SAP.com Bugs: Cross-Site Scripting Send: 13.07.2015 Reported: 13.07.2015 Vendor response: 14.07.2015

[FD] [ERPSCAN-15-021] SAP NetWeaver 7.4 - SQL Injection vulnerability

Application:SAP NetWeaver Versions Affected: SAP NetWeaver J2EE Engine 7.40 Vendor URL: http://SAP.com Bugs: SQL injection Send:13.07.2015 Reported: 13.07.2015 Vendor response: 14.07.2015 Date of Pu

[FD] [ERPSCAN-15-020] SAP Mobile Platform 2.3 - XXE in application import

Application:SAP Mobile Platform 2.3 Versions Affected: SAP Mobile Platform 2.3, probably others Vendor URL: http://SAP.com Bugs: XML External Entity Send: 25.02.2015 Reported: 25.02.2015 Vendor response: 25.02.2015 Date of Public Advisory: 11.08.2015 Refere

[FD] [ERPSCAN-15-019] SAP Afaria - Stored XSS

Application:SAP Afaria Versions Affected: SAP Afaria 7, probably others Vendor URL: http://SAP.com Bugs: Stored XSS Send: 18.02.2015 Reported: 18.02.2015 Vendor response: 18.02.2015 Date of Public Advisory: 11.08.2015 Reference: SAP Security Note 2152669 Au

[FD] [ERPSCAN-15-018] SAP NetWeaver 7.4 - XXE

Application:SAP NetWeaver Versions Affected: SAP NetWeaver 7.4, probably others Vendor URL: http://SAP.com Bugs: XML External Entity Send: 16.04.2015 Reported: 16.04.2015 Vendor response: 16.04.2015 Date of Public Advisory: 11.08.2015 Reference: SAP Securit

[FD] [ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability

1. ADVISORY INFORMATION Title: Oracle E-Business Suite XXE injection Advisory ID: [ERPSCAN-15-030] Advisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/ Date published: 20.10.2015 Vendors contacted: Oracle 2. VULNERABILITY INFORMATION Cl

[FD] [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability

1. ADVISORY INFORMATION Title: Oracle E-Business Suite - XXE injection Advisory ID: [ERPSCAN-15-029] Advisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/ Date published: 21.10.2015 Vendors contacted: Oracle 2. VULNERABILITY INFORMATION

[FD] [ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability

1. ADVISORY INFORMATION Title: Oracle E-Business Suite XXE injection Advisory ID: [ERPSCAN-15-028] Advisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/ Date published: 20.10.2015 Vendors contacted: Oracle 2. VULNERABILITY INFORMATION Cl

[FD] [ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability

1. ADVISORY INFORMATION Title: Oracle E-Business Suite Cross-site Scripting Advisory ID: [ERPSCAN-15-027] Advisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/ Date published: 20.10.2015 Vendors contacted: Oracle 2. VULNERABILITY IN

[FD] [ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability

1. ADVISORY INFORMATION Title: Oracle E-Business Suite SQL injection Advisory ID: [ERPSCAN-15-026] Advisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/ Date published: 20.10.2015 Vendors contacted: Oracle 2. VULNERABILITY INFORMATION Cl

[FD] [ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability

1. ADVISORY INFORMATION Title: Oracle E-Business Suite - Database user enumeration Advisory ID: [ERPSCAN-15-025] Advisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/ Date published:20.10.2015 Vendors contacted: Oracle 2. VULN

[FD] ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS service - Unauthorized Access

ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS service - Unauthorized Access Application: SAP NetWeaver Versions Affected: SAP NetWeaver AS JAVA, probably others Vendor URL: http://SAP.com Bugs: Unauthorized access Sent: 20.04.2013 Reported: 21.04.2013 Vendor response: 21.04.20

[FD] [ERPSCAN-15-016] SAP NetWeaver – Hardcoded credentials

ERPSCAN Research Advisory [ERPSCAN-15-016] SAP NetWeaver – Hardcoded credentials Application: SAP NetWeaver Versions Affected: SAP NetWeaver AS ABAP, probably others Vendor URL: http://SAP.com Bugs: Hardcoded credentials Sent: 06.03.2014 Reported: 07.03.2014 Vendor response:

[FD] [ERPSCAN-15-015] SAP NetWeaver AS ABAP– Hardcoded Credentials

ERPSCAN Research Advisory [ERPSCAN-15-015] SAP NetWeaver AS ABAP– Hardcoded Credentials Application: SAP NetWeaver Versions Affected: SAP NetWeaver AS ABAP, probably others Vendor URL: http://SAP.com Bugs: Hardcoded credentials Sent: 06.03.2014 Reported: 07.03.2014 Vendor response:

[FD] [ERPSCAN-15-014] SAP Mobile Platform 3 – XXE in Add Repository

ERPSCAN Research Advisory [ERPSCAN-15-014] SAP Mobile Platform 3 – XXE in Add Repository Application: SAP Mobile Platform Versions Affected: SAP Mobile Platform 3, probably others Vendor URL: http://SAP.com Bugs: XML External Entity Sent: 13.03.2015 Reported: 14.03.2015 Vendor response:

[FD] [ERPSCAN-15-013] SAP NetWeaver AS Java CIM UPLOAD – XXE

ERPSCAN Research Advisory [ERPSCAN-15-013] SAP NetWeaver AS Java CIM UPLOAD – XXE Application: SAP NetWeaver AS Java Versions Affected: SAP NetWeaver AS Java 7.4, probably others Vendor URL: http://SAP.com Bugs: XML External Entity Sent: 16.06.2014 Reported: 17.06.2014 Vendo

[FD] ERPSCAN Research Advisory [ERPSCAN-15-012] SAP Afaria 7 XComms – Buffer Overflow

Application: SAP Afaria 7 Versions Affected: SAP Afaria 7, probably others Vendor URL: http://SAP.com Bugs: Buffer Overflow Sent: 13.03.2015 Reported: 14.03.2015 Vendor response:14.03.2015 Date of Public Advisory:18.05.2015 Reference: SAP Security Note 2153690 Author: Dmitry

[FD] SAP Security Notes August 2015

SAP has released the monthly critical patch update for August 2015. This patch update closes 22 vulnerabilities in SAP products, 15 have high priority, some of them belong to the