Anonymous attacker can use a special HTTP request to get information about SAP NetWeaver users. A potential attacker can use the vulnerability in order to reveal information about user names, first and last names, and associated emails, this can provide an attacker with enough information to make a more accurate and effective attack. Steps to exploit this vulnerability: 1. Open http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate or http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate page on SAP server. 2. Press 'Change processor' button. 3. and in the 'find' section, put the initial or name to be searched, followed by a *.