SAP BW Security Notes - composite post

This blog post has an intention to cover security SAP notes especially related to BW. I plan to keep this blog updated with the newest security notes as they being published by SAP.

Basically you can check those notes by yourself on SAP Service Market place as follows:

service.sap.com/securitynotes -> SAP Security Notes -> Security Notes Search

Here’s the list:

Note No	App. area	Short text	Pr io	Released On
1575722	BW-BEX-OT-DBIF	Directory traversal in BW	2	09.08.2011
1572325	BW-BEX-OT	Unauthorized modification of displayed content in BW	2	09.08.2011
1581717	BW-BEX-OT	Potential disclosure of persisted data in BW RFC	2	09.08.2011
1599806	BW-PLA-BPS-WIB	Aktualisierung #1 zu Sicherheitshinweis 1482118	2	15.06.2011
1567882	BW-BEX-OT	Missing authorization check in BW RFC	1	10.05.2011
1566039	BW-BCT-ISR	Nicht autoris. Änderungen und Ausführung bei RSBCT_RFASH_ALI	2	10.05.2011
1547271	BW-WHM-AWB	Missing authorization check in RFC with call transaction	2	08.03.2011
1546601	BW-BEX-ET-WJR-AD	Potential remote code execution in BW WAD	2	08.03.2011
1524030	BW-BEX	Update #1 to Security Note 1493268	3	03.02.2011
1479762	BW-BEX-OT	Missing authority check in SAP_RSADMIN_MAINTAIN	2	11.01.2011
1494840	BW-BEX-ET-WEB	Unauthorized modification of displayed content in 3.x BEX	2	14.12.2010
1494255	BW-BCT-CMS	Generic dataloader missing authority check for BW Objects	2	14.12.2010
1491683	BW-BCT-BBP	Unauthorized modification of displayed content - Vendor Eval	2	14.12.2010
1488964	BW-BCT-ISR-PIP	Potential disclosure of persisted data in BW-BCT-ISR-PIP	2	14.12.2010
1514927	BW-BEX-OT	Unauthorized modification of displayed content in BW	2	14.12.2010
1477027	BW-BCT-ISR-RSL	RMA Berechtigungsprüfung im Check Report BW	3	14.12.2010
1479376	BW-BCT-GEN	Potential disclosure of data in RS_BCT_CONTTOOLS_ABAP	2	14.12.2010
1511877	BW-BCT-EPM	Directory traversal/SQL injection in SPM1.0	2	14.12.2010
1466529	BW-BEX-OT-OLAP	Directory Traversel in BW OLAP RFC	2	14.12.2010
1482118	BW-PLA-BPS	Unautorisierte Änderung von angezeigten Inhalten in PLA-BPS	2	09.11.2010
1474431	BW-BCT-ISR	Versenden von Abverkaufsdaten an SAP DM	2	09.11.2010
1491966	BW-PLA-BPS	Unauthorized modification of displayed content in CRM-BPS	2	12.10.2010
1492210	BW-BCT-ISR	Location of the "SAP for Retail - Security Guide"	6	12.10.2010
1469368	BW-BCT-ISR-RSL	Fehlende Autorisierungsprüfung in RMA-Workbench	3	14.09.2010
1471265	SRM-BW	Vulnerability during dynamic function call without validatio	2	14.09.2010
1493268	BW-BEX	Unauthorized modification of displayed content in BW	3	14.09.2010
1429198	BW-BEX-OT-OLAP-AUT	Fehlende Autorisierungsprüfung in RSUDO beim "Ausführen als"	3	10.08.2010
1150499	BW	Directory Traversal in BW Statistik	3	10.08.2010
1466530	BW-BEX-OT-OLAP	code injection vulnerability in a BW function module	3	10.08.2010
1466531	BW-BEX-OT-OLAP	Reflected Cross-site Scripting (BW Document Browser)	3	08.06.2010
1432456	BW-WHM-DST-AUT	Anpassung Rollenvorlagen: S_RS_HYBR, S_RS_LPOA hinzugefügt	3	11.05.2010
1437894	BW-BCT-ISR-PIP	Potential disclosure of authentication information	2	11.05.2010
1415148	BW-BEX-ET-WEB	Missing Input Validation in Business-Explorer	1	09.02.2010
1407285	BW-BEX-ET	Sicherheitslücke in BEx Tools	1	03.02.2010
1414059	BW-BEX-OT-DBIF	Fehlende Berechtigungsprüfung in einem BW Report	2	07.12.2009
1390941	BW-BEX-ET-WEB	Bei Ausführung 3.X Web Template nur unverständliche Zeichen	1	23.11.2009
1357370	BW-BEX-OT-DBIF	Editor ohne Berechtigungsprüfung	2	19.10.2009
1251121	BW-BEX-ET-WJR-RT	BEx Web 7.0: Display Support Information in Error Pages	2	08.10.2009
1392352	BW-BEX-ET-WEB	Sicherheitshinweis: Cross Site Scripting	1	08.10.2009
1142431	BW-BEX-OT-MDX	Sicherheitshinweis: Buffer Overflow in ODBO Providers	1	08.10.2009
1158063	BW-WHM	P18:Security Note:RSSM_EXEC_COMMAND auf RSBDCOS0 umstellen	3	08.10.2009
1122437	BW-BEX-ET-WJR	Display Stack Trace in Error Pages	6	08.10.2009

Legend:

Note priorities (prio):

1 - HotNews

2 - Correction with high priority

3 - Correction with medium priority

4 - Correction with low priority

6 - Recommendations/additional info