On the 11th of August 2020, SAP Security Patch Day saw the release of 15 new Security Notes.
There was 1 update to previously released Patch Day Security Notes.
Notes by severity
|Correction with high priority||6|
|Correction with medium priority||8|
|Correction with low priority||0|
On August Patch Day SAP presents 8 high-severity Notes with 2 of them rated as HotNews.
Starting our highlights for today, the update for Security Note 2934135 – Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard) – with a CVSS Score of 10. This note has been re-released with updated ‘Solution’ information and additional workaround statement information. All relevant Notes could be found in the Symptom section and relevant configurations can be applied.
Another patch for SAP NetWeaver was released in Note 2928635 – Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management) – with a CVSS Score of 9. Due to inadequate filtering with the accessing user’s privileges Knowledge Management allows the automatic execution of script content in a stored file. This Note should be overviewed and present solutions or workarounds applied even if the potential attacker needs to have the administrative rights to exploit this vulnerability.
The last Note to describe related to SAP NetWeaver is 2941667 – Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform – with a CVSS Score of 8.3 and rated as a High priority Note. SAP NetWeaver (ABAP Server) and ABAP Platform allow a low-privileged attacker to inject code by executing an ABAP report over the network.