German software maker SAP on Tuesday announced the release of 20 new security notes and three updates to previous security notes as part of its July 2022 Security Patch Day.
Of the new security notes, four deal with high-severity vulnerabilities, one impacting SAP BusinessObjects and three found in Business One.
The most severe of these issues is CVE-2022-35228 (CVSS score of 8.3), an information disclosure vulnerability in the central management console of the BusinessObjects Business Intelligence Platform.
The issue “allows an unauthenticated attacker to gain token information over the network,” but the attack “would require a legitimate user to access the application,” software security firm Onapsis explains.
The first of the high-severity bugs that impact Business One is an information disclosure flaw (CVE-2022-32249) that allows a highly privileged attacker to access sensitive information that can be used in subsequent attacks, such as credentials.
The second issue is a missing authorization check (CVE-2022-28771) that allows an unauthenticated attacker to break an application using malicious HTTP requests sent over the network.
The third bug in Business One is a code injection vulnerability (CVE-2022-31593) that allows a low privileged attacker to control application behavior.
A total of 17 security notes released on SAP’s July 2022 Security Patch Day address medium-severity vulnerabilities, the majority of which impact the NetWeaver Enterprise Portal and Business Objects.
SAP published six security notes that address cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal, all of them with a CVSS score of 6.1. Five other security notes address medium-severity issues in Business Objects.
The remaining medium-severity security notes deal with vulnerabilities in SAPS/4HANA, EA-DFPS, ABAP Platform, and Business One.
Related: SAP Patches High-Severity NetWeaver Vulnerabilities
Related: SAP Patches Spring4Shell Vulnerability in More Products
Related: Critical SAP Vulnerability Allows Supply Chain Attacks
More from Ionut Arghire
- Google Leads $16 Million Investment in Dope.security
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
