CVE-2016-6818

critical

Published 2017-04-13 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

10.0

VIR risk

9.8

Description

SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query. The vendor response is SAP Security Note 2361633.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Application impact

Vendor	Product	Versions	Fixed
sap	business_intelligence_platform	`-`

References

http://www.securityfocus.com/bid/97661
https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-january-2017/
http://www.securityfocus.com/bid/97661
https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-january-2017/

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.