SAP Security Notes Summary – February 2023
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
BC-XI-CON-UDS | 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) | 9,9 | 28.02.2023 |
BC-BSP | 3274585 | [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) | 6,1 | 28.02.2023 |
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | 14.02.2023 |
EPM-BPC-NW | 3271091 | [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation | 8,5 | 14.02.2023 |
BI-BIP-CMC | 3256787 | [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC) | 8,4 | 14.02.2023 |
BC-DWB-TOO-ABA | 3287291 | [CVE-2023-23854] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform | 3,8 | 14.02.2023 |
BC-CCM-HAG | 3285757 | [CVE-2023-24523] Privilege Escalation vulnerability in SAP Host Agent (Start Service) | 8,8 | 14.02.2023 |
CA-WUI-UI-TAG | 2788178 | [CVE-2023-24525] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI | 4,3 | 14.02.2023 |
CA-GTF-CSC-DME | 2985905 | [CVE-2023-24524] Missing Authorization check in SAP S/4 HANA Map Treasury Correspondence Format Data | 6,5 | 14.02.2023 |
EPM-BPC-NW-INF | 3275841 | [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation | 5,4 | 14.02.2023 |
BC-ABA-LA | 3293786 | [CVE-2023-23858] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 6,1 | 14.02.2023 |
GRC-SPC-AC | 3281724 | [CVE-2023-0019] Missing Authorization check in SAP GRC (Process Control) | 6,5 | 14.02.2023 |
FI-TV-ODT-MTR | 3290901 | [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) | 6,5 | 14.02.2023 |
CA-GTF-PCF | 3282663 | [CVE-2023-24529] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application) | 6,1 | 14.02.2023 |
BC-BSP | 3269118 | [CVE-2023-24522] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) | 6,1 | 14.02.2023 |
BC-BSP | 3269151 | [CVE-2023-24521] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) | 6,1 | 14.02.2023 |
BC-MID-ICF | 3271227 | [CVE-2023-23853] URL Redirection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | 6,1 | 14.02.2023 |
BC-MID-AC | 3268959 | [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform | 6,1 | 14.02.2023 |
SV-SMG-MON-SYS | 3266751 | [CVE-2023-23852] Cross-Site Scripting (XSS) vulnerability in SAP Solution Manager 7.2 | 6,1 | 14.02.2023 |
SV-SMG-SVD-SWB | 3265846 | [CVE-2023-0024] Cross Site Scripting in SAP Solution Manager (BSP Application) | 6,5 | 14.02.2023 |
SV-SMG-SVD-SWB | 3267442 | [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application) | 6,5 | 14.02.2023 |
SV-SMG-OP | 3270509 | [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager | 6,5 | 14.02.2023 |
BI-BIP-INV | 3263135 | [CVE-2023-0020] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform | 8,5 | 14.02.2023 |
BI-RA-WBI-FE | 3263863 | [CVE-2023-23856] Cross-Site Scripting (XSS) vulnerability in Web Intelligence Interface | 4,3 | 14.02.2023 |
BC-JAS-WEB | 3262544 | [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) | 6,1 | 07.02.2023 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes