A vulnerability in SAP CRM has been highlighted in this month’s SAP critical patch update, released this week.
Three of the 19 security notes issued this month relate to SAP CRM, and include an SQL Injection vulnerability in SAP CRM WebClient User Interface, which could, according to security research firm ERPScan, allow a remote attacker to conduct corporate espionage by sending a special request and stealing customer data such as customer information, pricing, sales or prospective bids.
A cross-site scripting vulnerability in SAP CRM IPC Pricing, which could allow an attacker to inject a malicious script into a page to access cookies, session tokens and other information used for interaction with a web application, has also been closed by SAP in this update.
SAP has also highlighted in recently released Security Note 2393021 that SAP applications written by developers using an patched Adobe Flex Software Development Kit or SAP’s Web Dynpro Flex may be susceptible to an XSS vulnerability. Though the issue, which allowed remote injecting of arbitrary web script or HTML, was patched in March 2012, because the issue affects a library, simply applying the fix would not be sufficient to rid the application of the loophole, according to ERPScan. Applications written with these unpatched SDKs should be rebuilt using a patched version.
SAP customers are encouraged to check the monthly update and apply security updates as soon as possible to protect their systems.