BankInfoSecurity
Compliance
March 29, 2021
March 31, 2021
Compliance
@prajeetspeaks) •
February 12, 2021
Get Permission
SAP has issued a patch and remediation advice for a critical remote code execution vulnerability in its SAP Commerce product that could, if exploited, disrupt the entire system.
SAP Commerce organizes data, such as product information, to be propagated across communication channels.
"Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups gain permissions to change DroolsRule ruleContents and thus gain unintended access to these scripting facilities," says Thomas Fritsch of Onapsis Research Labs.
This vulnerability could enable unauthorized users to inject malicious code into these scripts, resulting in a strong negative impact on the application’s confidentiality, integrity and availability, he adds.