Arbitrary file upload in SAP Business One

#VU55669 Arbitrary file upload in SAP Business One

Published: 2021-08-10

Vulnerability identifier: #VU55669

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2021-33698

CWE-ID: CWE-434

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP Business One
Mobile applications / Apps for mobile phones

Vendor: SAP

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in SAP Business One. A remote authenticated user can upload a malicious file and execute it on the server.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP Business One: 10.0

CPE

cpe:2.3:a:sap:sap_business_one:10.0:*:*:*:*:*:*:*

External links
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3071984

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP Business One