SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver

Enterprise software maker SAP on Tuesday announced the release of 14 new and three updated security notes as part of its May 2024 Security Patch Day.
Two new and one updated security notes are rated 'hot news', the highest severity in SAP's playbook, addressing critical flaws in Business Client, CX Commerce, and NetWeaver Application Server ABAP and ABAP Platform.
The first of the hot news security notes resolves two vulnerabilities in Customer Experience Commerce, both impacting third-party libraries in SAP's product.
The most severe of the bugs is CVE-2019-17495, a CSS injection issue in Swagger UI leading to CSS-based input field value exfiltration using the Relative Path Overwrite technique.
SAP also patched CVE-2022-36364, a remote code execution flaw in the Apache Calcite Avatica library, which exists because the library's JDBC driver does not perform sufficient checks for expected interfaces before instantiating HTTP client instances.
The second new hot news note released on SAP's May 2024 Security Patch Day resolves CVE-2024-33006, a file upload bug in NetWeaver that exists because a signature check for two content repositories is missing.
The updated hot news security note delivers the latest security updates for the Chromium-based browser in SAP Business Client, addressing a total of 23 vulnerabilities, including three high-severity bugs.
On Tuesday, SAP also announced patches for a high-severity cross-site scripting vulnerability in BusinessObjects Business Intelligence Platform, that exists because user input is not sufficiently sanitized, allowing an attacker to control a parameter in the Opendocument URL. The remaining 13 security notes resolve medium- and low-severity issues in Enable Now Manager, NetWeaver, S/4HANA, My Travel Requests, Process Integration, Replication Server, BusinessObjects, Process Integration, Global Label Management, Bank Account Management, and UI5.
SAP customers are advised to apply the security notes as soon as possible.
The company makes no mention of any of these vulnerabilities being exploited in the wild.
Attackers are known to have exploited security defects in SAP products for which patches have been released.


This Cyber News was published on www.securityweek.com. Publication date: Tue, 14 May 2024 15:43:05 +0000


Cyber News related to SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver

The Biggest SAP Cybersecurity Mistake Businesses Make-And How To Prevent It - There are no small mistakes-every mistake in cybersecurity is potentially catastrophic. Several oversights that have quietly grown into some of the most significant cybersecurity missteps can be found within SAP software configurations and include ...
1 year ago Cybersecurity-insiders.com
SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver - Enterprise software maker SAP on Tuesday announced the release of 14 new and three updated security notes as part of its May 2024 Security Patch Day. Two new and one updated security notes are rated 'hot news', the highest severity in SAP's playbook, ...
1 year ago Securityweek.com CVE-2019-17495 CVE-2022-36364 CVE-2024-33006
SAP's First Patches of 2024 Resolve Critical Vulnerabilities - Enterprise software maker SAP this week announced the release of 10 new and two updated security notes as part of its first Security Patch Day of 2024. Rated 'hot news', the highest rating in SAP's notebook, two of the new and one of the updated ...
1 year ago Securityweek.com CVE-2023-49583 CVE-2023-50422
Revolutionizing Commerce With AI - Picture a future where commerce is not just an exchange of goods and services but an intricate relationship of data, insights, and artificial intelligence. The AI revolution in commerce is redefining how we approach buying, selling, and market ...
1 year ago Feeds.dzone.com
SAP NetWeaver Vulnerability Exploited in Wild by Chinese Hackers - The exploitation technique uses HTTP request smuggling to bypass security controls and trigger a memory corruption vulnerability. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability ...
2 weeks ago Cybersecuritynews.com CVE-2023-7629
Taking a Proactive Approach to Mitigating Ransomware Part 2: Avoiding Vulnerabilities in SAP Applications - In case you missed it, in the first part of this series we talked about the importance of hardening security for the application layer as part of your proactive approach to mitigating ransomware. We know exploited vulnerabilities are the most common ...
1 year ago Securityboulevard.com
SAP Patches Critical Command Injection Vulnerabilities - Enterprise software maker SAP on Tuesday released 10 new and two updated security notes as part of its March 2024 Security Patch Day, calling attention to serious bugs in business-facing products. Three of the notes are marked 'hot news' - the ...
1 year ago Securityweek.com CVE-2019-10744 CVE-2024-22127
E-commerce Security: Protecting Customer Data - In today's digital landscape, ensuring the security of customer data in e-commerce is a crucial concern for businesses. Protecting e-commerce data security is a complex task that requires a comprehensive understanding of the challenges faced by ...
1 year ago Securityzap.com
SAP Patches Critical Vulnerability in Business Technology Platform - German enterprise software maker SAP on Tuesday announced the release of 15 new and two updated security notes as part of its December 2023 Security Patch Day. Four of the December 2023 security notes have a severity rating of 'hot news', the highest ...
1 year ago Securityweek.com CVE-2023-49583
The Biggest Tech Talent Gap Can Be Found in the SAP Ecosystem - They're not just looking for people who can write code; they want individuals who can implement, integrate, and run a variety of software platforms crucial for modern businesses. A recent Forbes case study explored dynamic areas like cybersecurity, ...
1 year ago Cysecurity.news
Chinese hackers behind attacks targeting SAP NetWeaver servers - SAP released an out-of-band emergency patch on April 24 to address this unauthenticated file upload security flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer, days after cybersecurity company ReliaQuest first detected the ...
3 weeks ago Bleepingcomputer.com CVE-2025-31324
Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw - Researchers reported that the threat actors are utilizing webshells with names like, "cache.jsp" and "helper.jsp." Howver, Nextron Research says they are also using random names, making it more difficult to find vulnerable Netweaver ...
1 month ago Bleepingcomputer.com CVE-2025-31324
SAP fixes critical Netweaver flaw exploited in attacks - "Unauthenticated attackers can abuse built-in functionality to upload arbitrary files to an SAP NetWeaver instance, which means full Remote Code Execution and total system compromise," stated watchTowr CEO Benjamin Harris. The vulnerability, ...
1 month ago Bleepingcomputer.com CVE-2025-31324
SAP fixes suspected Netweaver zero-day exploited in attacks - "Unauthenticated attackers can abuse built-in functionality to upload arbitrary files to an SAP NetWeaver instance, which means full Remote Code Execution and total system compromise," stated watchTowr CEO Benjamin Harris. The vulnerability, ...
1 month ago Bleepingcomputer.com CVE-2025-31324
SAP's April 2024 Updates Patch High-Severity Vulnerabilities - Enterprise software maker SAP on Tuesday announced the release of 10 new and two updated security notes, including three notes that address high-severity vulnerabilities. Of SAP's April 2024 security notes, the most severe addresses a security ...
1 year ago Securityweek.com
Exploring Blockchain's Revolutionary Impact on E-Commerce - The trend of choosing online shopping over traditional in-store visits is on the rise, with e-commerce transactions dominating the digital landscape. Blockchain technology emerges as a solution to bolster the security of online transactions. ...
1 year ago Cysecurity.news Inception
SAP Security Patch Addresses Privilege Escalation Flaw - SAP is a leading enterprise software suite that integrates various business functions like:-. This renowned enterprise software suite helps organizations to:-. Recently, on a security note, the German multinational software company SAP released a ...
1 year ago Cybersecuritynews.com CVE-2024-21734
Chinese Hackers Exploit SAP NetWeaver 0-Day Vulnerability To Attack Critical Infrastructures - In April 2025, security researchers identified a sophisticated campaign targeting critical infrastructure networks worldwide through a previously unknown vulnerability in SAP NetWeaver Visual Composer. The vulnerability, tracked as CVE-2025-31324, ...
2 weeks ago Cybersecuritynews.com CVE-2025-31324
400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks that Exploited in the Wild - Discovered in April 2025 by ReliaQuest security researchers during incident response activities, the vulnerability has already been weaponized in attacks against organizations running even fully-patched SAP installations. Organizations using SAP ...
1 month ago Cybersecuritynews.com CVE-2025-31324
CVE-2021-2345 - Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager product of Oracle Commerce (component: Tools and Frameworks). The supported version that is affected is 11.3.1.5. Easily exploitable vulnerability allows low ...
3 years ago
CVE-2021-2346 - Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager product of Oracle Commerce (component: Tools and Frameworks). The supported version that is affected is 11.3.1.5. Easily exploitable vulnerability allows low ...
3 years ago
Cyber Monday Kicks Off Holiday Shopping Season With E-Commerce Security Risks - The post-Thanksgiving e-commerce shopping event known as Cyber Monday draws millions of consumers each year seeking out bargains online - to the tune of $11 billion in 2022. Amid the purchasing spree, consumers routinely share sensitive personally ...
1 year ago Darkreading.com
New ISC Security Patches Released for 2021: What You Need to Know - The Internet Systems Consortium (ISC), the largest provider of open-source Internet infrastructure software, has released new security patches designed to mitigate data breaches and other cyber threats. These new security patches, released in January ...
2 years ago Thehackernews.com
Thousands of Adobe Commerce e-stores hacked by exploiting CosmicSting bug - Sansec researchers reported that multiple threat actors have exploited a critical Adobe Commerce vulnerability, tracked as CVE-2024-34102 (aka CosmicSting, CVSS score of 9.8), to compromise more than 4,000 e-stores over the past three months. Over ...
7 months ago Securityaffairs.com CVE-2024-34102
Ransomware gangs join ongoing SAP NetWeaver attacks - Forescout Vedere Labs security researchers have also linked these ongoing attacks to a Chinese threat actor they track as Chaya_004, while EclecticIQ reported on Tuesday that three other Chinese APTs (i.e., UNC5221, UNC5174, and CL-STA-0048) are also ...
2 weeks ago Bleepingcomputer.com CVE-2025-31324 BianLian RansomEXX