On the 14th of January 2020, SAP Security Patch Day saw the release of 6 Security Notes.
Notes by severity
|Correction with high priority||0|
|Correction with medium priority||6|
|Correction with low priority||0|
On January Patch Day SAP presents 6 medium-severity Security Notes.
This month, SAP did not release any Security Notes higher than medium severity. However, in our today digest, we will cover the most significant ones among them.
Starting with the Note 2863743 – Cross-Site Scripting (XSS) vulnerability in Rest Adapter of SAP Process – with a CVSS Score of 6.1. Rest Adapter of SAP Process Integration does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This vulnerability exploitation could lead to non-permanently defacing or modifying displayed content from a Web site or stealing authentication information of the user.
The next one will be 2848498 – Denial of service (DOS) in SAP NetWeaver Internet Communication Manager – with a CVSS Score of 5.9. An attacker can send a specially crafted packet to the IIOP or P4 service in order to cause a buffer overflow and thus crash the ICM process. Even if the execution of such actions requires the modification of the default parameters, an attack using this vulnerability as a breach could cause the ICM process to crash due to buffer overflow.