SAP NetWeaver AS of ABAP is vulnerable to a DoS (denial of service) which is caused by no restriction in calling the RFC enabled function module SPI_WAIT_MILLIS. A remote attacker can initiate a DoS attack by calling the function multiple times and block all the work processes. The exploitation of this vulnerability can lead to a denial-of-service condition.
SAP NetWeaver AS Java is found to be vulnerable to cross-site scripting. This vulnerability can be caused by improper validation of user-supplied input. The exploitation of the vulnerability requires a remote authenticated attacker that injects malicious scripts into web pages. These are executed in a victim’s web browser once the page is viewed within the security context of the hosting website. The cookie-based authentication credentials of the victims can be stolen as a result of this vulnerability.
SAP NetWeaver Master Data Management could be used to obtain sensitive information caused by improper authentication validation. An attacker can exploit this technique by utilizing brute force attacks to obtain sensitive data and launch further attacks against the affected system.
Current SAP users can access their SAP account to access information on the available patches at https://accounts.sap.com/saml2/idp/sso