Warning: Undefined variable $comments_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 527

SAP Patches Critical Command Injection Vulnerabilities

Enterprise software maker SAP on Tuesday released 10 new and two updated security notes as part of its March 2024 Security Patch Day, calling attention to serious bugs in business-facing products.
Three of the notes are marked 'hot news' - the highest severity rating in SAP's playbook - and resolve critical vulnerabilities in the Chromium browser in Business Client, Build Apps, and NetWeaver AS Java.
The most severe is an update that brings the latest Chrome patches to Business Client.
Now running Chromium version 121.0.6167.184, the update resolves 29 security defects in the browser, including two critical-severity bugs and 15 high-severity issues.
The company documented the second serious bug as CVE-2019-10744, a critical vulnerability in the lodash utility library in Build Apps.
Applications built using a flawed iteration of the tool allow attackers to run unauthorized commands on the system, according to a warning from application security firm Onapsis.
Build Apps version 4.9.145 addresses the flaw and applications should be rebuilt using this or a newer iteration of the programming tool.
The third hot news note released on SAP's March 2024 Security Patch Day addresses CVE-2024-22127 a code injection flaw in the Administrator Log Viewer plugin of NetWeaver AS Java.
An incomplete list of file types prohibited for upload allows an attacker to upload arbitrary files, which could lead to command injection.
On Tuesday, SAP also published three high-priority security notes, including an update to an August 2023 note addressing an improper authentication flaw in Commerce Cloud that could allow attackers to authenticate without a passphrase.
The new high-priority security notes address a denial-of-service bug in HANA XS Classic and HANA XS Advanced, related to the use of the HTTP/2 protocol, and a path traversal issue in the central management console of the BusinessObjects Business Intelligence Platform, which exists because of a vulnerable version of Apache Struts.
The remaining six security notes address medium-severity vulnerabilities in NetWeaver, Fiori Front End Server, and ABAP Platform.
SAP makes no mention of any of these vulnerabilities being exploited in the wild, but threat actors are known to have targeted flaws in SAP applications for which patches have been released.

This Cyber News was published on www.securityweek.com. Publication date: Tue, 12 Mar 2024 18:43:05 +0000

Cyber News related to SAP Patches Critical Command Injection Vulnerabilities

The Biggest SAP Cybersecurity Mistake Businesses Make-And How To Prevent It - There are no small mistakes-every mistake in cybersecurity is potentially catastrophic. Several oversights that have quietly grown into some of the most significant cybersecurity missteps can be found within SAP software configurations and include ...
1 year ago Cybersecurity-insiders.com

Taking a Proactive Approach to Mitigating Ransomware Part 2: Avoiding Vulnerabilities in SAP Applications - In case you missed it, in the first part of this series we talked about the importance of hardening security for the application layer as part of your proactive approach to mitigating ransomware. We know exploited vulnerabilities are the most common ...
1 year ago Securityboulevard.com

SAP's First Patches of 2024 Resolve Critical Vulnerabilities - Enterprise software maker SAP this week announced the release of 10 new and two updated security notes as part of its first Security Patch Day of 2024. Rated 'hot news', the highest rating in SAP's notebook, two of the new and one of the updated ...
1 year ago Securityweek.com CVE-2023-49583 CVE-2023-50422

The Biggest Tech Talent Gap Can Be Found in the SAP Ecosystem - They're not just looking for people who can write code; they want individuals who can implement, integrate, and run a variety of software platforms crucial for modern businesses. A recent Forbes case study explored dynamic areas like cybersecurity, ...
1 year ago Cysecurity.news

SAP Patches Critical Vulnerability in Business Technology Platform - German enterprise software maker SAP on Tuesday announced the release of 15 new and two updated security notes as part of its December 2023 Security Patch Day. Four of the December 2023 security notes have a severity rating of 'hot news', the highest ...
1 year ago Securityweek.com CVE-2023-49583

SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver - Enterprise software maker SAP on Tuesday announced the release of 14 new and three updated security notes as part of its May 2024 Security Patch Day. Two new and one updated security notes are rated 'hot news', the highest severity in SAP's playbook, ...
1 year ago Securityweek.com CVE-2019-17495 CVE-2022-36364 CVE-2024-33006

SAP NetWeaver Vulnerability Exploited in Wild by Chinese Hackers - The exploitation technique uses HTTP request smuggling to bypass security controls and trigger a memory corruption vulnerability. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability ...
3 months ago Cybersecuritynews.com CVE-2023-7629

SAP Security Patch Addresses Privilege Escalation Flaw - SAP is a leading enterprise software suite that integrates various business functions like:-. This renowned enterprise software suite helps organizations to:-. Recently, on a security note, the German multinational software company SAP released a ...
1 year ago Cybersecuritynews.com CVE-2024-21734

SAP Patches Critical Command Injection Vulnerabilities - Enterprise software maker SAP on Tuesday released 10 new and two updated security notes as part of its March 2024 Security Patch Day, calling attention to serious bugs in business-facing products. Three of the notes are marked 'hot news' - the ...
1 year ago Securityweek.com CVE-2019-10744 CVE-2024-22127

SAP's April 2024 Updates Patch High-Severity Vulnerabilities - Enterprise software maker SAP on Tuesday announced the release of 10 new and two updated security notes, including three notes that address high-severity vulnerabilities. Of SAP's April 2024 security notes, the most severe addresses a security ...
1 year ago Securityweek.com

New ISC Security Patches Released for 2021: What You Need to Know - The Internet Systems Consortium (ISC), the largest provider of open-source Internet infrastructure software, has released new security patches designed to mitigate data breaches and other cyber threats. These new security patches, released in January ...
2 years ago Thehackernews.com

GitLab Patches: Severe SAML Authentication Bypass Flaw Fixed - Security Boulevard - In addition to these patches, OmniAuth SAML has been upgraded to version 2.2.1 and Ruby-SAML to 1.17.0. It’s worth mentioning that the issue only impacts self-managed instances; therefore, users of GitLab Dedicated instances do not need to take any ...
11 months ago Securityboulevard.com CVE-2024-45409

Oracle Security Update - Patch for 378 Vulnerabilities Including Remote Exploits - “Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay,” the company stated in its advisory. Oracle Database Server versions 19.3-19.26, 21.3-21.17, ...
4 months ago Cybersecuritynews.com

January Patch Tuesday: New year, more Windows bugs The Register - Patch Tuesday Microsoft rang in the New Year with a relatively calm Patch Tuesday: Just 49 Windows security updates including fixes for two critical-rated bugs, plus four high-severity Chrome flaws in Microsoft Edge. None of the January CVEs are ...
1 year ago Go.theregister.com CVE-2024-20674 CVE-2024-20700 CVE-2023-49583 CVE-2023-50422 CVE-2023-20193 CVE-2023-20194

Final Patch Tuesday of 2023 goes out with a bang The Register - It's the last Patch Tuesday of 2023, which calls for celebration - just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course. Let's start with Apple, since two of the bugs Cupertino ...
1 year ago Go.theregister.com CVE-2023-42916 CVE-2023-42917 CVE-2023-36019 CVE-2023-20588 CVE-2023-34064 CVE-2023-41678

Final Patch Tuesday of 2023 goes out with a bang The Register - It's the last Patch Tuesday of 2023, which calls for celebration - just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course. Let's start with Apple, since two of the bugs Cupertino ...
1 year ago Packetstormsecurity.com CVE-2023-42916 CVE-2023-42917 CVE-2023-36019 CVE-2023-20588 CVE-2023-34064 CVE-2023-41678

Strobes 2023 Pentesting Recap: Trends, Stats, and How PTaaS is Transforming Cybersecurity - This article covers some amazing statistics on what category of vulnerabilities we commonly report across 100s of customers, and how we reduce compliance times and turn around time to reporting critical vulnerabilities. In a different article, we ...
1 year ago Securityboulevard.com

SAP’s July 2025 Patch Day - Patch for 27 Vulnerabilities Including 7 Critical One’s - The remaining critical vulnerabilities focus on insecure deserialization issues across SAP NetWeaver Enterprise Portal components, including CVE-2025-42980 in the Federated Portal Network, CVE-2025-42964 in Portal Administration, CVE-2025-42966 in ...
1 month ago Cybersecuritynews.com CVE-2025-42980

SAP April 2025 Security Update : Critical Code Injection Vulnerabilities Patched - This comprehensive update focuses on addressing multiple vulnerabilities in SAP’s extensive product portfolio, with a particular spotlight on critical code injection flaws that posed significant risks to enterprise environments. By addressing ...
4 months ago Cybersecuritynews.com CVE-2024-56337

21 Vulnerabilities in Sierra Wireless Routers Could Expose Critical Infrastructure to Attacks - Some Sierra Wireless cellular routers are affected by 21 vulnerabilities, including ones that could pose a significant risk to impacted organizations, including in critical infrastructure sectors, according to network security and risk management ...
1 year ago Securityweek.com

Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 - On Jan. 10, 2024, Ivanti disclosed two new vulnerabilities in their Ivanti Connect Secure and Ivanti Policy Secure gateways: CVE-2023-46805 and CVE-2024-21887. The first CVE is a High severity authentication bypass vulnerability, and the second CVE ...
1 year ago Unit42.paloaltonetworks.com CVE-2023-46805 CVE-2024-21887

Ivanti discloses new zero-day flaw, releases delayed patches - Ivanti Wednesday released patches for two critical zero-day vulnerabilities that were disclosed earlier this month, but also warned customers of two new flaws, including a new zero-day that's under exploitation in the wild. In a security advisory on ...
1 year ago Techtarget.com CVE-2023-46805 CVE-2024-21887 CVE-2024-21888 CVE-2024-21893

Cybersecurity Weekly Recap: Latest on Attacks, Vulnerabilities, & Data Breaches - A critical SSRF vulnerability in Microsoft Power Platform’s SharePoint connector allowed attackers to impersonate users and access sensitive data. Ivanti patched a critical command injection vulnerability in its Cloud Services Appliance (CSA), ...
6 months ago Cybersecuritynews.com CVE-2025-0108 CVE-2024-53704 CVE-2024-52875 CVE-2023-20198 CVE-2023-20273 Winnti Group

400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks that Exploited in the Wild - Discovered in April 2025 by ReliaQuest security researchers during incident response activities, the vulnerability has already been weaponized in attacks against organizations running even fully-patched SAP installations. Organizations using SAP ...
4 months ago Cybersecuritynews.com CVE-2025-31324