Name of the Vulnerable Software and Affected Versions:

SAP MII (affected versions not specified)

Description:

The issue allows an attacker to intercept a request to the server, inject malicious JSP code in the request, and forward it to the server. When a dashboard is opened by users with at least the SAP XMII Developer role, the malicious content in the dashboard gets executed, leading to remote code execution in the server, which allows privilege escalation. The malicious JSP code can contain certain OS commands, through which an attacker can read sensitive files in the server, modify files, or even delete contents in the server, thus compromising the confidentiality, integrity, and availability of the server hosting the SAP MII application.

Recommendations:

At the moment, there is no information about a newer version that contains a fix for this vulnerability.