On 14.09.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Business One.
SAP Note 3069882 addresses "[CVE-2021-33688] SQL Injection vulnerability in SAP Business One" to prevent sql injection (read) with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationSAP Business One allows an authenticated attacker to use specially crafted inputs to modify database queries, resulting in the retrieval of additional information persisted by the system.
SAP Business One has restricted the parameter to a whitelist.
The advisory is valid for