Dmitry Chastukhin

**Name of the Vulnerable Software and Affected Versions** SAP Afaria version 7 **Description** The issue exists due to insufficient protection of the web page structure in the Device Inspector page of the SAP Afaria mobile device management program. This allows a remote attacker to inject arbitrary HTML code using a specially crafted request. The vulnerability can be exploited by injecting arbitrary web script or HTML via crafted client name data in the Client form on the Device Inspector page. **Recommendations** For SAP Afaria version 7, consider restricting access to the Device Inspector page until a fix is available. As a temporary workaround, avoid using specially crafted client name data in the Client form to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SAP Mobile Platform (affected versions not specified) **Description** The issue allows remote attackers to send requests to intranet servers via crafted XML, exploiting an XML external entity (XXE) vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP NetWeaver version 7.40 **Description** The issue allows remote attackers to obtain sensitive information. This can be achieved via the `ReadProfile` parameters in the SAP Management Console. Additionally, the vulnerability exists due to a lack of restrictions on remote function calls, specifically the `GetSystemInstanceList` function. An attacker can exploit this by sending a specially crafted SOAP request to gain information about the integration platform and operating system. **Recommendations** For SAP NetWeaver version 7.40, consider restricting access to the `GetSystemInstanceList` function and limiting the use of the `ReadProfile` parameters until a patch is available. As a temporary workaround, disabling remote function calls for `GetSystemInstanceList` may help minimize the risk of exploitation.