Positive Technologies has today confirmed it has detected Vulnerability-related.DiscoverVulnerability vulnerabilities in SAP Enterprise Portal Navigation , SAP NetWeaver Log Viewer and SAP Enterprise Portal Theme Editor , which are the components of the SAP NetWeaver platform . By exploiting these security flaws , attackers can intercept Attack.Databreach login credentials , register keystrokes , spoof data or perform other illegal activities that could potentially lead to a system compromise . Four Cross-Site Scripting ( XSS ) vulnerabilities were detected Vulnerability-related.DiscoverVulnerability in the following SAP Enterprise Portal components : SAP Enterprise Portal Navigation ( CVSSv3 score 6.1 ) and SAP Enterprise Portal Theme Editor ( three flaws with CVSSv3 scores 5.4 , 6.1 , and 6.1 ) . Exploiting these vulnerabilities , an attacker could obtain access Attack.Databreach to a victim 's session tokens , login credentials or other sensitive information in the browser , perform arbitrary actions on the victim 's behalf , rewrite HTML page content and intercept Attack.Databreach keystrokes . The relevant remediation guidelines are described in SAP Security notes No . 2369469 , 2372183 , 2372204 , and 2377626 . Another vulnerability—Directory Traversal ( CVSSv3 score 5.9 ) —allows arbitrary file upload in SAP NetWeaver Log Viewer . Attackers can upload a malformed archive that contains files with special characters in their names . When the web application unpacks the archive , it resolves symbols `` . '' and `` / '' as a part of the correct file path , so attackers can exploit the Directory Traversal vulnerability and upload files to an arbitrary place on the server file system . The consequences of arbitrary file upload can include total compromise of a system , overload of a file system or database , expanding attacks to back-end systems and defacement . The impact of this vulnerability is high , as arbitrary code can be executed on the server . SAP Security note No . 2370876 describes the activities required to eliminate this flaw . Dmitry Gutsko , Head of the Business System Security Unit at Positive Technologies said : `` Large companies all over the world use SAP to manage financial flows , product lifecycle , relationships with vendors and clients , company resources , procurement , and other critical business processes . It is vital to protect the information stored in SAP systems as any breach Attack.Databreach of confidential information could have a devastating impact on the business . '' In order to identify vulnerabilities in SAP products , perform inventory checks on these systems , manage updates and analyze settings , configurations , and permissions , Positive Technologies ’ MaxPatrol vulnerability and compliance management solution has been certified by SAP for integration with SAP NetWeaver . In addition , Positive Technologies Application Firewall ( PT AF ) detects attacks , including those that leverage zero-day vulnerabilities , in SAP NetWeaver , SAP ICM , SAP Management Console , and SAP SOAP RFC using special security profiles . Positive Technologies Application Inspector also supports analysis of Java applications for the SAP NetWeaver Java platform .