Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver

SAP has released 14 new and three updated security notes on its May 2024 Security Patch Day.

SAP vulnerability patches

Enterprise software maker SAP on Tuesday announced the release of 14 new and three updated security notes as part of its May 2024 Security Patch Day.

Two new and one updated security notes are rated ‘hot news’, the highest severity in SAP’s playbook, addressing critical flaws in Business Client, CX Commerce, and NetWeaver Application Server ABAP and ABAP Platform.

The first of the hot news security notes resolves two vulnerabilities in Customer Experience (CX) Commerce, both impacting third-party libraries in SAP’s product.

The most severe of the bugs is CVE-2019-17495 (CVSS score of 9.8), a CSS injection issue in Swagger UI leading to CSS-based input field value exfiltration using the Relative Path Overwrite (RPO) technique.

SAP also patched CVE-2022-36364 (CVSS score of 8.8), a remote code execution flaw in the Apache Calcite Avatica library, which exists because the library’s JDBC driver does not perform sufficient checks for expected interfaces before instantiating HTTP client instances.

The second new hot news note released on SAP’s May 2024 Security Patch Day resolves CVE-2024-33006 (CVSS score of 9.6), a file upload bug in NetWeaver that exists because a signature check for two content repositories is missing.

“An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise the system,” application security firm Onapsis explains.

The updated hot news security note delivers the latest security updates for the Chromium-based browser in SAP Business Client, addressing a total of 23 vulnerabilities, including three high-severity bugs.

Advertisement. Scroll to continue reading.

On Tuesday, SAP also announced patches for a high-severity cross-site scripting (XSS) vulnerability in BusinessObjects Business Intelligence Platform, that exists because user input is not sufficiently sanitized, allowing an attacker to control a parameter in the Opendocument URL.

The remaining 13 security notes resolve medium- and low-severity issues in Enable Now Manager, NetWeaver, S/4HANA, My Travel Requests, Process Integration, Replication Server, BusinessObjects, Process Integration, Global Label Management, Bank Account Management, and UI5 (PDFViewer).

SAP customers are advised to apply the security notes as soon as possible. The company makes no mention of any of these vulnerabilities being exploited in the wild. However, attackers are known to have exploited security defects in SAP products for which patches have been released.

Related: SAP Applications Increasingly in Attacker Crosshairs, Report Shows

Related: SAP’s April 2024 Updates Patch High-Severity Vulnerabilities

Related: SAP Patches Critical Command Injection Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights