Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerabilities in Commerce, Manufacturing Execution Products

German enterprise software maker SAP has released 15 new security notes on its October 2022 Security Patch Day, including two ‘hot news’ notes dealing with critical vulnerabilities. The company also updated two previously released security notes.

German enterprise software maker SAP has released 15 new security notes on its October 2022 Security Patch Day, including two ‘hot news’ notes dealing with critical vulnerabilities. The company also updated two previously released security notes.

The most severe of these issues is CVE-2022-39802 (CVSS score of 9.9), which is described as a file path traversal in Manufacturing Execution. The bug impacts Work Instruction Viewer and Visual Test and Repair, two plugins for displaying work instructions and models.

“The URL to request this information included a file path parameter that could be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory could be read in the user context of the OS user executing the NetWeaver process or service,” enterprise application protection firm Onapsis explains.

The second critical vulnerability, CVE-2022-41204 (CVSS score of 9.6), impacts the SAP Commerce login form and could lead to account hijacking through URL redirection.

The issue exists because the URLs that are called when a login form is submitted are not properly sanitized, allowing an attacker to inject redirect information into them, leading to sensitive information being sent to an attacker-controlled server.

“Attackers didn’t require any privileges to start an exploit but they did need a user to click the malicious link that opens the manipulated login form to execute the exploit. Bad actors can trick users to click this type of link by using phishing techniques to distribute the manipulated URL to legitimate SAP Commerce users,” Onapsis explains.

SAP released five new and one updated high-severity security notes on October 2022 Security Patch Day, including three that deal with information disclosure vulnerabilities in BusinessObjects and one addressing a buffer overflow in SQL Anywhere and IQ.

The two remaining notes resolve multiple security holes in 3D Visual Enterprise Viewer (17 issues) and 3D Visual Enterprise Author (26 bugs). An attacker could trick users into opening manipulated files in 3D Visual Enterprise Viewer/Author, leading to arbitrary code execution or denial of service (DoS).

Advertisement. Scroll to continue reading.

The remaining nine security notes that SAP announced this week deal with medium-severity information disclosure and cross-site scripting (XSS) flaws in BusinessObjects, Enable Now, Commerce, Customer Data Cloud (Gigya), and Data Services Management Console.

According to Onapsis, SAP released six other security notes between the second Tuesday of September and the second Tuesday of October.

Related: SAP Patches High-Severity Flaws in Business One, BusinessObjects, GRC

Related: SAP Patches Information Disclosure Vulnerabilities in BusinessObjects

Related: SAP Patches High-Severity Vulnerabilities in Business One Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.