CRITICAL🇵🇱 Wersja polska

CVE-2023-36922

CVSS 9.1v3.1pub. 2023-07-11upd. 2024-11-21

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.  On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Sap Netweaver

    APP
    Sap
    600602603604605606617618800802803804805806807
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2025-42999CRITICAL9.1⚠ KEVPL ✓ten sam produkt

SAP NetWeaver Visual Composer — niebezpieczna deserializacja treści

CVE-2025-31324CRITICAL10.0⚠ KEVPL ✓ten sam produkt

SAP NetWeaver: nieautoryzowany upload plików wykonywalnych w Visual Composer

CVE-2021-38163CRITICAL9.9⚠ KEVten sam produkt

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker aut...

CVE-2020-6203CRITICAL9.1ten sam produkt

SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an a...

CVE-2011-1517CRITICAL9.8ten sam produkt

SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() ...