Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities in Environmental Compliance

On Tuesday, its October 2021 Security Patch Day, SAP announced the release of 13 new security notes and an update for a previously released note. Three of the notes are rated Hot News.

On Tuesday, its October 2021 Security Patch Day, SAP announced the release of 13 new security notes and an update for a previously released note. Three of the notes are rated Hot News.

The most important of SAP’s security notes deals with two critical vulnerabilities in SAP Environmental Compliance. Tracked as CVE-2020-10683 and CVE-2021-23926 (CVSS score of 9.8), the bugs are potential XML external entity (XXE) injection issues.

While SAP hasn’t provided specific details on these security holes, XML injection bugs typically allow an attacker to interfere with the processing of XML data, leading to information disclosure or enabling the attacker to interact with backend systems, SAP application security firm Onapsis says.

SAP has also addressed a critical improper authorization in NetWeaver AS ABAP and ABAP Platform (CVE-2021-38178, CVSS score of 9.1). The flaw could be exploited to bypass quality gates and transfer ABAP code artifacts to quality and production systems.

A third Hot News security note released this week is an update to the Chromium browser in the SAP Business Client.

Only one of SAP’s newly released security notes has a severity rating of high. It addresses a denial of service (DoS) vulnerability (CVE-2021-40498, CVSS score of 7.8) in SuccessFactors Mobile Application for Android devices.

During the execution of implemented Android methods, interaction with activities from other Android applications that use these methods is possible, which could lead to potential phishing attacks, in addition to DoS.

All of the remaining 10 security notes in SAP’s new round of patches deal with medium-severity issues, including information disclosure, DoS, code injection, and cross-site scripting (XSS) bugs.

In addition to these 14 security notes, SAP released 3 other notes since last month’s Security Patch Day. All three deal with medium-severity security defects.

Related: SAP Patches Critical Vulnerabilities With September 2021 Security Updates

Related: Nine Critical and High-Severity Vulnerabilities Patched in SAP Products

Related: SAP Customer Survey Reveals False Sense of Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.