SAP Security Notes Summary – September 2021
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | SAP Notes | Title | CVSS Score | Released On |
---|---|---|---|---|
CO-FIO-OM-PL | 2988956 | Cross-Site Request Forgery (CSRF) vulnerability in S/4HANA OP2020, OP1909 in Import Financial Plan Data | 5,4 | 28.09.2021 |
CO-FIO-OM-PL | 2988962 | Cross-Site Request Forgery (CSRF) vulnerability for S/4HANA OP2020, OP1909 in Import Financial Plan Data | 5,4 | 28.09.2021 |
XX-CSC-OM-FI | 2308378 | Missing Authorization check in Financial Accounting | 4,3 | 14.09.2021 |
CA-VE-VEV | 3087791 | [CVE-2021-38174] Improper Input Validation in SAP 3D Visual Enterprise Viewer | 4,3 | 14.09.2021 |
EP-PIN-PRT | 3082219 | [CVE-2021-21489] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 4,8 | 14.09.2021 |
BC-ESI-WS-JAV-RT | 3081888 | [CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) | 9,9 | 14.09.2021 |
SBO-CRO-SEC | 3075546 | [CVE-2021-37532] Directory Listing Enabled in SAP Business One | 4,3 | 14.09.2021 |
CRM-CCI | 3073891 | [CVE-2021-33672] Multiple vulnerabilities in SAP Contact Center | 9,6 | 14.09.2021 |
FI-LOC-FI-FR | 3068582 | [CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR | 5,4 | 14.09.2021 |
CEC-MKT-CPG-LNS | 3068337 | Reverse tabnabbing vulnerability in SAP Marketing Lead Nurture Stream | 3,5 | 14.09.2021 |
BC-FES-BUS-DSK | 3060621 | [CVE-2021-38150] Information disclosure in SAP Business Client | 6,1 | 14.09.2021 |
BC-UPG-NZ | 3089831 | [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework | 9,9 | 14.09.2021 |
EP-VC-RTM | 3084487 | [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT) | 9,9 | 14.09.2021 |
BW-BEX-OT-RRI | 3082500 | [CVE-2021-38175] Information Disclosure in SAP Analysis for Microsoft Office | 6,5 | 14.09.2021 |
BC-CST-WDP | 3080567 | [CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher | 8,9 | 14.09.2021 |
BC-JAS-JMS | 3078609 | [CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service) | 10 | 14.09.2021 |
SBO-CRO-SEC | 3070138 | [CVE-2021-33686] Information Disclosure in SAP Business One | 5,3 | 14.09.2021 |
SBO-CRO-SEC | 3069882 | [CVE-2021-33688] SQL Injection vulnerability in SAP Business One | 4,3 | 14.09.2021 |
SBO-CRO-SEC | 3069032 | [CVE-2021-33685] Directory Traversal vulnerability in SAP Business One | 6,5 | 14.09.2021 |
BI-BIP-INV | 3055180 | [CVE-2021-33679] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace) | 5,4 | 14.09.2021 |
BC-IAM-SSO-CCL | 3051787 | [CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib | 7,5 | 14.09.2021 |
*The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.