Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerabilities in Commerce, Manufacturing Execution Products

German enterprise software maker SAP has released 15 new security notes on its October 2022 Security Patch Day, including two ‘hot news’ notes dealing with critical vulnerabilities. The company also updated two previously released security notes.

German enterprise software maker SAP has released 15 new security notes on its October 2022 Security Patch Day, including two ‘hot news’ notes dealing with critical vulnerabilities. The company also updated two previously released security notes.

The most severe of these issues is CVE-2022-39802 (CVSS score of 9.9), which is described as a file path traversal in Manufacturing Execution. The bug impacts Work Instruction Viewer and Visual Test and Repair, two plugins for displaying work instructions and models.

“The URL to request this information included a file path parameter that could be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory could be read in the user context of the OS user executing the NetWeaver process or service,” enterprise application protection firm Onapsis explains.

The second critical vulnerability, CVE-2022-41204 (CVSS score of 9.6), impacts the SAP Commerce login form and could lead to account hijacking through URL redirection.

The issue exists because the URLs that are called when a login form is submitted are not properly sanitized, allowing an attacker to inject redirect information into them, leading to sensitive information being sent to an attacker-controlled server.

“Attackers didn’t require any privileges to start an exploit but they did need a user to click the malicious link that opens the manipulated login form to execute the exploit. Bad actors can trick users to click this type of link by using phishing techniques to distribute the manipulated URL to legitimate SAP Commerce users,” Onapsis explains.

SAP released five new and one updated high-severity security notes on October 2022 Security Patch Day, including three that deal with information disclosure vulnerabilities in BusinessObjects and one addressing a buffer overflow in SQL Anywhere and IQ.

The two remaining notes resolve multiple security holes in 3D Visual Enterprise Viewer (17 issues) and 3D Visual Enterprise Author (26 bugs). An attacker could trick users into opening manipulated files in 3D Visual Enterprise Viewer/Author, leading to arbitrary code execution or denial of service (DoS).

The remaining nine security notes that SAP announced this week deal with medium-severity information disclosure and cross-site scripting (XSS) flaws in BusinessObjects, Enable Now, Commerce, Customer Data Cloud (Gigya), and Data Services Management Console.

According to Onapsis, SAP released six other security notes between the second Tuesday of September and the second Tuesday of October.

Related: SAP Patches High-Severity Flaws in Business One, BusinessObjects, GRC

Related: SAP Patches Information Disclosure Vulnerabilities in BusinessObjects

Related: SAP Patches High-Severity Vulnerabilities in Business One Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.