SAP Security Notes Summary – August 2023
Traditionally once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
MM-FIO-PUR-REQ-SSP | 3156972 | [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) | 6,1 | 22.08.2023 |
CA-UI5-COR | 3149794 | Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5 | 6,1 | 22.08.2023 |
SRM-EBP-INT | 2032723 | Switchable authorization checks for RFC in SRM | 6,3 | 8.08.2023 |
BI-RA-WBI | 3312586 | [CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform | 4,4 | 8.08.2023 |
SBO-CRO-SEC | 3358300 | [CVE-2023-39437] Cross-Site Scripting (XSS) vulnerability in SAP Business One | 7,6 | 8.08.2023 |
BI-BIP-INS | 3317710 | [CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer) | 7,6 | 8.08.2023 |
BI-BIP-CMC | 3312047 | Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC) | 7,5 | 8.08.2023 |
BC-CCM-CNF-PFL | 3348000 | [CVE-2023-37492] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform | 4,9 | 8.08.2023 |
BC-CST-MS | 3344295 | [CVE-2023-37491] Improper Authorization check vulnerability in SAP Message Server | 7,5 | 8.08.2023 |
BC-SYB-PD | 3341599 | [CVE-2023-36923] Code Injection vulnerability in SAP PowerDesigner | 7,8 | 8.08.2023 |
BC-SYB-PD | 3341460 | [CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner | 9,8 | 8.08.2023 |
BC-CCM-HAG | 3358328 | [CVE-2023-36926] Information disclosure vulnerability in SAP Host Agent | 3,7 | 8.08.2023 |
BC-XI-IBF-WU | 3350494 | [CVE-2023-37488] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration | 6,1 | 8.08.2023 |
SBO-CRO-SEC | 3333616 | [CVE-2023-37487] Security Misconfiguration vulnerability in SAP Business One (Service Layer) | 5,3 | 8.08.2023 |
SBO-CRO-SEC | 3337797 | [CVE-2023-33993] SQL Injection vulnerability in SAP Business One (B1i Layer) | 7,1 | 8.08.2023 |
CEC-SCC-COM-BC-OCC | 3341934 | [CVE-2023-37486] Information Disclosure vulnerability in SAP Commerce (OCC API) | 5,9 | 8.08.2023 |
SRM-EBP-ADM-XBP | 2067220 | [CVE-2023-39436] Information Disclosure in SAP Supplier Relationship Management | 5,8 | 8.08.2023 |
CEC-SCC-PLA-PL | 3346500 | [CVE-2023-39439] Improper authentication in SAP Commerce Cloud | 8,8 | 8.08.2023 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.