SAP NetWeaver Process Integration could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain full read access to user data, make limited modifications to user data, and degrade the performance of the system.
SAP NetWeaver AS for Java is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Current SAP customers should refer to SAP note for patch information, available from the SAP Web site (login required).