German enterprise software maker SAP has released 15 new security notes on its October 2022 Security Patch Day, including two ‘hot news’ notes dealing with critical vulnerabilities. The company also updated two previously released security notes.
The most severe of these issues is CVE-2022-39802 (CVSS score of 9.9), which is described as a file path traversal in Manufacturing Execution. The bug impacts Work Instruction Viewer and Visual Test and Repair, two plugins for displaying work instructions and models.
“The URL to request this information included a file path parameter that could be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory could be read in the user context of the OS user executing the NetWeaver process or service,” enterprise application protection firm Onapsis explains.
The second critical vulnerability, CVE-2022-41204 (CVSS score of 9.6), impacts the SAP Commerce login form and could lead to account hijacking through URL redirection.
The issue exists because the URLs that are called when a login form is submitted are not properly sanitized, allowing an attacker to inject redirect information into them, leading to sensitive information being sent to an attacker-controlled server.
“Attackers didn’t require any privileges to start an exploit but they did need a user to click the malicious link that opens the manipulated login form to execute the exploit. Bad actors can trick users to click this type of link by using phishing techniques to distribute the manipulated URL to legitimate SAP Commerce users,” Onapsis explains.
SAP released five new and one updated high-severity security notes on October 2022 Security Patch Day, including three that deal with information disclosure vulnerabilities in BusinessObjects and one addressing a buffer overflow in SQL Anywhere and IQ.
The two remaining notes resolve multiple security holes in 3D Visual Enterprise Viewer (17 issues) and 3D Visual Enterprise Author (26 bugs). An attacker could trick users into opening manipulated files in 3D Visual Enterprise Viewer/Author, leading to arbitrary code execution or denial of service (DoS).
The remaining nine security notes that SAP announced this week deal with medium-severity information disclosure and cross-site scripting (XSS) flaws in BusinessObjects, Enable Now, Commerce, Customer Data Cloud (Gigya), and Data Services Management Console.
According to Onapsis, SAP released six other security notes between the second Tuesday of September and the second Tuesday of October.
Related: SAP Patches High-Severity Flaws in Business One, BusinessObjects, GRC
Related: SAP Patches Information Disclosure Vulnerabilities in BusinessObjects
Related: SAP Patches High-Severity Vulnerabilities in Business One Product
