Enterprise software maker SAP on Tuesday announced the release of 14 new and three updated security notes as part of its May 2024 Security Patch Day.
Two new and one updated security notes are rated 'hot news', the highest severity in SAP's playbook, addressing critical flaws in Business Client, CX Commerce, and NetWeaver Application Server ABAP and ABAP Platform.
The first of the hot news security notes resolves two vulnerabilities in Customer Experience Commerce, both impacting third-party libraries in SAP's product.
The most severe of the bugs is CVE-2019-17495, a CSS injection issue in Swagger UI leading to CSS-based input field value exfiltration using the Relative Path Overwrite technique.
SAP also patched CVE-2022-36364, a remote code execution flaw in the Apache Calcite Avatica library, which exists because the library's JDBC driver does not perform sufficient checks for expected interfaces before instantiating HTTP client instances.
The second new hot news note released on SAP's May 2024 Security Patch Day resolves CVE-2024-33006, a file upload bug in NetWeaver that exists because a signature check for two content repositories is missing.
The updated hot news security note delivers the latest security updates for the Chromium-based browser in SAP Business Client, addressing a total of 23 vulnerabilities, including three high-severity bugs.
On Tuesday, SAP also announced patches for a high-severity cross-site scripting vulnerability in BusinessObjects Business Intelligence Platform, that exists because user input is not sufficiently sanitized, allowing an attacker to control a parameter in the Opendocument URL. The remaining 13 security notes resolve medium- and low-severity issues in Enable Now Manager, NetWeaver, S/4HANA, My Travel Requests, Process Integration, Replication Server, BusinessObjects, Process Integration, Global Label Management, Bank Account Management, and UI5.
SAP customers are advised to apply the security notes as soon as possible.
The company makes no mention of any of these vulnerabilities being exploited in the wild.
Attackers are known to have exploited security defects in SAP products for which patches have been released.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 14 May 2024 15:43:05 +0000