SAP Security Notes Summary – September 2023

Traditionally once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.

SAP ComponentNumberTitleCVSS Score Released On
FI-AP-AP-Q13219846[CVE-2023-42473] Missing Authorization Check In S/4HANA (Manage Withholding Tax Items)5,426.09.2023
BI-BIP-LCM3320355[CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)9,912.09.2023
BI-BIP-CMC3245526[CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)9,912.09.2023
BC-SYB-PD3357163[CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client6,312.09.2023
FI-FIO-AP-CHK3355675[CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps)2,712.09.2023
MM-FIO-PUR-SQ-CON3326361[CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App5,412.09.2023
BI-RA-WBI-FE3370490[CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)8,712.09.2023
BC-GP3348142[CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures)5,312.09.2023
BI-BIP-LCM3352453[CVE-2023-37489] Information Disclosure vulnerability in  SAP BusinessObjects Business Intelligence Platform (Version Management System)5,312.09.2023
FS-QUO3349805Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO)5,712.09.2023
BC-IAM-SSO-CCL3327896[CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib7,512.09.2023
BC-WD-UR3323163[CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)5,512.09.2023
BI-BIP-INS3317702[CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)6,212.09.2023
BC-FES-BUS-DSK2622660Security updates for the browser control Google Chromium delivered with SAP Business Client1012.09.2023
BC-XI-CON-UDS3273480[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)9,912.09.2023
FI-FIO-AP3369680[CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)3,512.09.2023
BC-IAM-SSO-CCL3340576[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib9,812.09.2023

*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Copyright © 2023. Privacy Policy