Arbitrary Operating System Command Injection Vulnerability in SAP IS-OIL Component

Arbitrary Operating System Command Injection Vulnerability in SAP IS-OIL Component

CVE-2023-36922 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.  On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

Learn more about our Web Application Penetration Testing UK.