On the 9th of June 2024, SAP Security Patch Day saw the release of 16 new Security Notes.
There were 2 updates to previously released Security Notes.
Notes by severity
| HotNews | 0 |
| Correction with high priority | 4 |
| Correction with medium priority | 15 |
| Correction with low priority | 1 |
Highlights
On July Patch Day SAP presents 2 high-severity Notes, with none of them rated as HotNews.
Despite the fact that the June patch day can delight us with only a few high-priority vulnerabilities, we’ll share with you what you need to pay attention to first in this monthly SAP security Notes update.
The July patch day covered a relatively large number of diverse vulnerabilities for multiple components. Although they are mostly of medium severity, we will tell you about the most important improvements over the past month in today’s digest.
We will start the digest for today with the highest rated correction in this month, Note 3483344 – Missing Authorization check in SAP PDCE – with a CVSS Score of 7.7.
Because certain PDCE components don’t carry out the required authorization checks for a verified user, privileges can escalate.
This greatly compromises the application’s security by enabling an attacker to view private data. The corrections and solutions required can be found in the corresponding SAP Note.
The next to highlight will be the high-severity Note 3490515 – Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce – with a CVSS Score of 7.2.
When early login and registration are enabled for a Composable Storefront B2B site in SAP Commerce, users can take advantage of the forgotten password functionality to access the site without the merchant having to approve the account beforehand. Even if registration is not allowed for those other sites, access to other non-isolated early login sites may be permitted if the site is not set up as an isolated site.
That is it for high-severities, however, we would like to describe the most interesting Notes of the medium category.
And the first of them will be a correction for SAP Landscape Management, Note 3466801 – Information Disclosure vulnerability in SAP Landscape Management – with a CVSS Score of 6.9, very close to be rated as the high-severity one.
A verified user can view private information revealed by the REST Provider Definition response using SAP Landscape Management. A successful exploitation could have a significant effect on the controlled companies’ confidentiality.
We advise you to pay close attention to this correction if your landscape is maintained up to date especially.
Second will be the Note 3482217 – Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and Simulation – with a CVSS Score 6.1.
This Note contains the description for the Reflected XSS and Stored XSS corrections correspondingly for two vulnerabilities in SAP Business Warehouse – Business Planning and Simulation.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the SAP Business Warehouse – Business Planning and Simulation application because user controlled inputs are not appropriately encoded. An attacker can have minimal effect on the application’s confidentiality and integrity following a successful exploitation. You can find more information through the following CVE-2024-39594
A Stored Cross-Site Scripting (XSS) vulnerability exists in the SAP Business Warehouse – Business Planning and Simulation application because user-controlled inputs are not appropriately encoded too. Users can alter the content of websites due to this vulnerability, and if it is successfully exploited, an attacker may have minimal effect on the application’s confidentiality and integrity. The CVE for this will be CVE-2024-39595.
The last correction for today’s digest to talk about will be the Note 3468681 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor – with a CVSS Score of 6.1.
SAP NetWeaver Knowledge Management XMLEditor permits malicious scripts to be executed in the program due to inadequate encoding of user-controlled input, which may result in a Cross-Site Scripting (XSS) vulnerability. This has minimal effect on the application’s integrity and secrecy but no effect on the application’s availability.
That will be it! Our team wishes you a fresh gentle breeze for this beautiful summer to rest within.
Stay safe!
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| FIN-BA | 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE | high |
7.7
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| CEC-SCC-COM-BC-CS | 3490515 | [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce | high |
7.2
|
[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce |
| BC-VCM-LVM | 3466801 | [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management | medium |
6.9
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N |
| CA-GTF-DOB | 3459379 | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
| BW-PLA-BPS | 3482217 | [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| EP-PIN-WPC-WCM | 3468681 | [CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CA-WUI-UI | 3467377 | [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| FIN-FSCM-PF-IHB | 3457354 | [CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |
| BC-FES-GUI | 3461110 | [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows | medium |
5.0
|
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N |
| BC-BMT-WFM | 3485805 | [CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services) | medium |
5.0
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| BC-BMT-WFM | 3483993 | [CVE-2024-34689] Prerequisite for Security Note 3458789 | medium |
5.0
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| TM-CP | 3469958 | [CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal) | medium |
5.0
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| BC-BMT-WFM | 3458789 | [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) | medium |
5.0
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| BC-MID-ICF | 3456952 | [CVE-2024-39599] Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
4.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| KM-SEN-MGR | 3476348 | [CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now | medium |
4.3
|
CVSS:/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CA-WUI-UI | 3101986 | Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UI | medium |
4.1
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N |
| BC-SRV-DX-DXW | 3454858 | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
4.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N |
| KM-SEN-MGR | 3476340 | [CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now | low |
3.3
|
CVSS:/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
