Unveiled Details:
In the latest SAP Patch Day, the software giant released seventeen SAP Security Notes to address various security issues, with three of these classified as HotNews Notes. The article detailing these updates was written by Thomas Fritsch and sourced from the Onapsis-Blog.
One of the critical vulnerabilities addressed is due to the Swagger UI library and allows an attacker to perform Relative Path Overwrite (RPO) technique in CSS-based input fields. This issue was found in SAP NetWeaver Application Server ABAP and ABAP Platform.
Another significant vulnerability, with a CVSS score of 9.6, is a File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. This issue was addressed by SAP Security Note #3448171.
The Onapsis Research Labs contributed to fixing this File Upload vulnerability, as well as two Cross-Site Scripting (XSS) vulnerabilities, both tagged with a CVSS score of 6.1. They also supported SAP in patching one HotNews, one High Priority, and two Medium Priority Notes.
One of the XSS vulnerabilities was detected in SAP NetWeaver Application Server ABAP and ABAP Platform and was patched by SAP Security Note #3450286. The other XSS vulnerability, with a CVSS score of 8.1, was found in SAP BusinessObjects Business Intelligence Platform and was addressed by SAP Security Note #3431794.
The Onapsis Research Labs have also updated their platform to incorporate the newly published vulnerabilities for customer protection. The Cybersecurity and Infrastructure Security Agency (CISA) contributed to addressing the critical File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.
SAP Security Note #2622660 patches twenty-three Chromium vulnerabilities, including thirteen High Priority patches, in the SAP environment. Another important note, SAP Security Note #3455438, patches two critical vulnerabilities in SAP Customer Experience (CX) Commerce, with a CVSS score of 9.8.
Lastly, SAP Security Note #3460772 disables the obsolete Document Service handler of the Data Provisioning Service in SAP S/4HANA due to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an unauthenticated attacker to upload a malicious file to the server.
For more information about the latest SAP security issues, customers can subscribe to the Onapsis Defender's Digest Onapsis Newsletter.
Read also:
- Predictive modeling introduced in DP World's automotive supply chain operations
- U Power's strategic collaborator UNEX EV has inked a Letter of Intent with Didi Mobility to deploy UOTTA(TM) battery-swapping electric vehicles in Mexico.
- Commercial-grade hydrogen enhancement systems manufacturing initiated by H2i Technology
- Gold nanorod market to reach a value of USD 573.3 million by 2034, expanding at a compound annual growth rate (CAGR) of 11.7%
