CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver

SAP has released 14 new and three updated security notes on its May 2024 Security Patch Day. The post SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver appeared first on SecurityWeek.

SAP vulnerabilities

Enterprise software maker SAP on Tuesday announced the release of 14 new and three updated security notes as part of its May 2024 Security Patch Day.

Two new and one updated security notes are rated ‘hot news’, the highest severity in SAP’s playbook, addressing critical flaws in Business Client, CX Commerce, and NetWeaver Application Server ABAP and ABAP Platform.

The first of the hot news security notes resolves two vulnerabilities in Customer Experience (CX) Commerce, both impacting third-party libraries in SAP’s product.

The most severe of the bugs is CVE-2019-17495 (CVSS score of 9.8), a CSS injection issue in Swagger UI leading to CSS-based input field value exfiltration using the Relative Path Overwrite (RPO) technique.

SAP also patched CVE-2022-36364 (CVSS score of 8.8), a remote code execution flaw in the Apache Calcite Avatica library, which exists because the library’s JDBC driver does not perform sufficient checks for expected interfaces before instantiating HTTP client instances.

The second new hot news note released on SAP’s May 2024 Security Patch Day resolves CVE-2024-33006 (CVSS score of 9.6), a file upload bug in NetWeaver that exists because a signature check for two content repositories is missing.

“An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise the system,” application security firm Onapsis explains.

The updated hot news security note delivers the latest security updates for the Chromium-based browser in SAP Business Client, addressing a total of 23 vulnerabilities, including three high-severity bugs.

On Tuesday, SAP also announced patches for a high-severity cross-site scripting (XSS) vulnerability in BusinessObjects Business Intelligence Platform, that exists because user input is not sufficiently sanitized, allowing an attacker to control a parameter in the Opendocument URL.

The remaining 13 security notes resolve medium- and low-severity issues in Enable Now Manager, NetWeaver, S/4HANA, My Travel Requests, Process Integration, Replication Server, BusinessObjects, Process Integration, Global Label Management, Bank Account Management, and UI5 (PDFViewer).

SAP customers are advised to apply the security notes as soon as possible. The company makes no mention of any of these vulnerabilities being exploited in the wild. However, attackers are known to have exploited security defects in SAP products for which patches have been released.

Related: SAP Applications Increasingly in Attacker Crosshairs, Report Shows

Related: SAP’s April 2024 Updates Patch High-Severity Vulnerabilities

Related: SAP Patches Critical Command Injection Vulnerabilities

Latest News

CYBERNEWSMEDIAPublisher