SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver

SAP has released 10 new security notes on June 2024 Security Patch Day, including two addressing high-severity vulnerabilities.

Enterprise software maker SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2024 Security Patch Day.

SAP’s new set of patches includes two high-priority security notes, the most severe of which addresses a cross-site scripting (XSS) bug in Financial Consolidation.

According to application security firm Onapsis, the security note addresses two XSS flaws in SAP’s product, collectively tracked as CVE-2024-37177 (CVSS score of 8.1).

“The more critical one allows data to enter a web application through an untrusted source and manipulating web site content. This causes a high impact on the confidentiality and integrity of the application,” Onapsis explains.

The second high-priority note resolves a denial-of-service (DoS) vulnerability in SAP NetWeaver AS Java, tracked as CVE-2024-34688 (CVSS score of 7.5).

Impacting the NetWeaver AS Java’s Meta Model Repository services, the issue exists because access to these services was not restricted, allowing attackers to cause DoS conditions on the application and prevent legitimate users from using it, Onapsis says.

Advertisement. Scroll to continue reading.

Eight of the remaining security notes released on SAP’s June 2024 Security Patch Day address medium-severity vulnerabilities in the NetWeaver and ABAP platform, Document Builder, S/4HANA, CRM, BW/4HANA Transformation and DTP, Student Life Cycle Management, and NetWeaver AS Java products.

Successful exploitation of these issues could result in DoS conditions, arbitrary file uploads, information disclosure, or data tampering.

The remaining two security notes, one new and one updated, resolve low-severity issues in BusinessObjects Business Intelligence Platform and Central Finance Infrastructure Components.

SAP makes no mention of any of these vulnerabilities being exploited in the wild, but attackers are known to have targeted flaws in SAP products for which patches had been released. Organizations are advised to update their installations as soon as possible.

Related: SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver

Related: SAP Applications Increasingly in Attacker Crosshairs, Report Shows

Related: SAP’s April 2024 Updates Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: ROSI for CPS Security Programs
May 13, 2026

In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Jacki Monson has joined CVS Health as SVP, Deputy CISO.

Gigi Schumm has been promoted to Chief Revenue Officer at Securonix.

Chris Sistrunk has been promoted to Practice Leader for Mandiant's OT Security Consulting.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.