Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities in Environmental Compliance

On Tuesday, its October 2021 Security Patch Day, SAP announced the release of 13 new security notes and an update for a previously released note. Three of the notes are rated Hot News.

On Tuesday, its October 2021 Security Patch Day, SAP announced the release of 13 new security notes and an update for a previously released note. Three of the notes are rated Hot News.

The most important of SAP’s security notes deals with two critical vulnerabilities in SAP Environmental Compliance. Tracked as CVE-2020-10683 and CVE-2021-23926 (CVSS score of 9.8), the bugs are potential XML external entity (XXE) injection issues.

While SAP hasn’t provided specific details on these security holes, XML injection bugs typically allow an attacker to interfere with the processing of XML data, leading to information disclosure or enabling the attacker to interact with backend systems, SAP application security firm Onapsis says.

SAP has also addressed a critical improper authorization in NetWeaver AS ABAP and ABAP Platform (CVE-2021-38178, CVSS score of 9.1). The flaw could be exploited to bypass quality gates and transfer ABAP code artifacts to quality and production systems.

A third Hot News security note released this week is an update to the Chromium browser in the SAP Business Client.

Only one of SAP’s newly released security notes has a severity rating of high. It addresses a denial of service (DoS) vulnerability (CVE-2021-40498, CVSS score of 7.8) in SuccessFactors Mobile Application for Android devices.

During the execution of implemented Android methods, interaction with activities from other Android applications that use these methods is possible, which could lead to potential phishing attacks, in addition to DoS.

Advertisement. Scroll to continue reading.

All of the remaining 10 security notes in SAP’s new round of patches deal with medium-severity issues, including information disclosure, DoS, code injection, and cross-site scripting (XSS) bugs.

In addition to these 14 security notes, SAP released 3 other notes since last month’s Security Patch Day. All three deal with medium-severity security defects.

Related: SAP Patches Critical Vulnerabilities With September 2021 Security Updates

Related: Nine Critical and High-Severity Vulnerabilities Patched in SAP Products

Related: SAP Customer Survey Reveals False Sense of Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.