Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver

SAP has released 10 new security notes on June 2024 Security Patch Day, including two addressing high-severity vulnerabilities.

Enterprise software maker SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2024 Security Patch Day.

SAP’s new set of patches includes two high-priority security notes, the most severe of which addresses a cross-site scripting (XSS) bug in Financial Consolidation.

According to application security firm Onapsis, the security note addresses two XSS flaws in SAP’s product, collectively tracked as CVE-2024-37177 (CVSS score of 8.1).

“The more critical one allows data to enter a web application through an untrusted source and manipulating web site content. This causes a high impact on the confidentiality and integrity of the application,” Onapsis explains.

The second high-priority note resolves a denial-of-service (DoS) vulnerability in SAP NetWeaver AS Java, tracked as CVE-2024-34688 (CVSS score of 7.5).

Impacting the NetWeaver AS Java’s Meta Model Repository services, the issue exists because access to these services was not restricted, allowing attackers to cause DoS conditions on the application and prevent legitimate users from using it, Onapsis says.

Eight of the remaining security notes released on SAP’s June 2024 Security Patch Day address medium-severity vulnerabilities in the NetWeaver and ABAP platform, Document Builder, S/4HANA, CRM, BW/4HANA Transformation and DTP, Student Life Cycle Management, and NetWeaver AS Java products.

Successful exploitation of these issues could result in DoS conditions, arbitrary file uploads, information disclosure, or data tampering.

Advertisement. Scroll to continue reading.

The remaining two security notes, one new and one updated, resolve low-severity issues in BusinessObjects Business Intelligence Platform and Central Finance Infrastructure Components.

SAP makes no mention of any of these vulnerabilities being exploited in the wild, but attackers are known to have targeted flaws in SAP products for which patches had been released. Organizations are advised to update their installations as soon as possible.

Related: SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver

Related: SAP Applications Increasingly in Attacker Crosshairs, Report Shows

Related: SAP’s April 2024 Updates Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights