At ESNC, we encourage security research and publications. Our consultants have presented critical security issues regarding SAP systems in renowned security conferences such as CCC Annual Congress, Hack.lu, Sec-T, Defcon Hashdays, Hacktivity and more.
Following is the list of advisories we published in 2013:
Please refer to https://esnc-wp-qa-01.westeurope.cloudapp.azure.com for the original security advisory, updates and additional information. ———————————————————————— 1. Business Impact ———————————————————————— This vulnerability allows injection of ABAP code to the remote SAP system. In SAP security, this is the equivalent of getting an ultra-reliable ring 0 exploit which works through the network and never crashes. By exploiting this…
Please refer to https://esnc-wp-qa-01.westeurope.cloudapp.azure.com for the original security advisory, updates and additional information. ———————————————————————— 1. Business Impact ———————————————————————— This vulnerability allows executing arbitrary operating system commands on the remote SAP system with the rights of the SAP application user. By exploiting this vulnerability, an attacker can take complete control of the SAP application and data…
Please refer to https://esnc-wp-qa-01.westeurope.cloudapp.azure.com for the original security advisory, updates and additional information. ———————————————————————— 1. Business Impact ———————————————————————— Project System, which is part of SAP ERP, provides tools to track project costs and resources. It is tightly integrated with Controlling, Human Resources, and Logistics modules. This vulnerability allows execution of arbitrary program code of the…
Please refer to https://esnc-wp-qa-01.westeurope.cloudapp.azure.com for the original security advisory, updates and additional information. ———————————————————————— 1. Business Impact ———————————————————————— This vulnerability allows bypassing authority checks that exist before executing a transaction. A transaction in SAP terminology is the execution of a program. By exploiting this vulnerability, an attacker can also control the transaction to be executed, allowing…
Please refer to https://esnc-wp-qa-01.westeurope.cloudapp.azure.com for the original security advisory, updates and additional information. ———————————————————————— 1. Business Impact ———————————————————————— This vulnerability allows bypassing authority checks that exist before executing a transaction. A transaction in SAP terminology is the execution of a program. By exploiting this vulnerability, an attacker can also control the transaction to be executed,…
