CVE-2022-41260 An attacker can inject a web script via a GET request in SAP Financial Consolidation 1010, which does not encode user-controlled input.

SAP Financial Consolidation - version 1010, does not sufficiently encode user-controlled input which may allow an unauthenticated attacker to inject a web script via a GET request. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. CVE-2018-8270 - SAP Risk Management - Unvalidated Redirects to External Sites An issue has been discovered in SAP Risk Management where unvalidated redirection to external sites may lead to information disclosure. An unauthenticated attacker may be able to access external sites via redirection. This issue has been assigned Common Vulnerability Scoring System (CVSS) rating of 5.5. CVSS scores represent a range from 0 to 10 where 0 is low and 10 is high.

An issue has been discovered in SAP Risk Management where unvalidated redirection to external sites may lead to information disclosure. An unauthenticated attacker may be able to access external sites via redirection. This issue has been assigned Common Vulnerability Scoring System (CVSS) rating of 5.5. CVSS scores represent a range from 0 to 10 where 0 is low and 10 is high. CVE-2018-8271 - SAP Risk Management - SQL Injection An issue has been discovered in SAP Risk Management where user input is not sufficiently validated against the configured input rules which may lead to SQL injection. An unauthenticated attacker may be able to inject SQL code into the application via the input

Security Measures Taken By SAP

SAP has taken a number of security precautions to ensure that the vulnerabilities in these products are fixed as soon as possible. These measures include:

SAP will provide free of charge replacement software for any impacted user-controlled input which leads to a vulnerability.

What is SAP Risk Management?

SAP Risk Management is an application used for monitoring, analyzing and managing risk for business. It has been designed to help organizations detect and prevent potential risks in their business activities.
SAP Risk Management consists of three parts:
- Core SAP Risk Management - this is the engine that analyzes and monitors risk events happening within the business, provides continuous analytics and alerts on risk events;
- Integrated solution - a complete solution framework which includes the core SAP Risk Management engine, analytical models, dashboards, data warehouse;
- Extended solution - set of modules including SAP Risk Management web interface, data visualizations or dashboards.

The Security Risk of Not Detecting Incorrect Input

If you don't have a security team that adequately monitors your application for security risks, your business is at risk. When it comes to software development and design, there are risks associated with every task. This is something we're always aware of and take into account when building our products. At the end of the day, there are no guarantees that anything will go wrong with our software or applications. However, these risks can be mitigated by having a dedicated team to monitor for errors within an application.

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/14/2022 20:15:00 UTC

References

• https://launchpad.support.sap.com/#/notes/3260708
• https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41260