Traditionally once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
|SAP Component||Number||Title||CVSS Score||Released On|
|BC-JAS-ADM-MON||3333426||[CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)||6,5||26.10.2023|
|BC-IAM-SSO-CCL||3340576||[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib||9,8||24.10.2023|
|BI-RA-WBI-FE||3372991||[CVE-2023-42474] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence||6,8||10.10.2023|
|FI-LOC-SRF-RUN||3222121||[CVE-2023-42475] Information Disclosure Vulnerability in Statutory Reporting||4,3||10.10.2023|
|SBO-CRO-SEC||3338380||[CVE-2023-41365] Information Disclosure vulnerability in SAP Business One (B1i)||4,3||10.10.2023|
|BC-JAS-SEC||3371873||Update 1 to Security Note 3324732: [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)||5,3||10.10.2023|
|BC-JAS-SEC||3324732||[CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)||5,3||10.10.2023|
|BC-FES-BUS-DSK||2622660||Security updates for the browser control Google Chromium delivered with SAP Business Client||10||10.10.2023|
|BC-SYB-PD||3357154||[CVE-2023-40310] Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import)||6,5||10.10.2023|
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.