Arbitrary file upload in SAP Business One

#VU55669 Arbitrary file upload in SAP Business One

Published: 2021-08-10

Vulnerability identifier: #VU55669

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-33698

CWE-ID: CWE-434

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP Business One
Mobile applications / Apps for mobile phones

Vendor: SAP

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in SAP Business One. A remote authenticated user can upload a malicious file and execute it on the server.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP Business One: 10.0

External links
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3071984

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP Business One