German enterprise software maker SAP on Tuesday announced the release of 15 new and two updated security notes as part of its December 2023 Security Patch Day.
Four of the December 2023 security notes have a severity rating of 'hot news', the highest in the company's notebook, but three of them are updates to previously released notes.
The new hot news security note deals with multiple vulnerabilities in SAP Business Technology Platform, the most severe of which is a critical-severity elevation of privilege flaw.
Tracked as CVE-2023-49583, the issue was identified in the BTP Security Services Integration Libraries, which simplify the integration of BTP security services and other identity services.
To draw attention to the vulnerability, SAP has published a separate blog post, urging all customers to review the security note, ensure that their systems meet required prerequisites for the update, and apply the provided solution to address the bug.
The first of the three updated hot news notes brings patches for the Chromium-based browser in SAP Business Client.
The update plugs 44 security holes, including three critical bugs and 17 high-severity issues.
SAP released four high-priority security notes as part of its December 2023 patches, the first of which addresses an improper access control bug in Commerce Cloud, which could allow blocked users to use the forgotten password feature to regain access to the application.
A high-severity cross-site scripting flaw in BusinessObjects that could allow an attacker to upload malicious documents to the system and an information disclosure issue in SAP GUI for Windows and SAP GUI for Java, leading to the exposure of confidential information, were also resolved.
SAP patched a high-severity missing authorization check bug in EMARSYS SDK Android, which could allow an attacker with control over a victim's Android device to forward themselves URLs without validation from the host application.
SAP also released seven medium-priority and two low-priority security notes.
The software maker makes no mention of any of these vulnerabilities being exploited in malicious attacks, but threat actors are known to target SAP application vulnerabilities.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 12 Dec 2023 19:13:04 +0000