BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?


Application Security

SAP Patches High-Severity Vulnerabilities in PDCE, Commerce

Patch Tuesday: Enterprise software vendor SAP releases patches for high-severity vulnerabilities in multiple products and tools.

SAP vulnerability patches

Enterprise software maker SAP on Tuesday announced the release of 16 new and two updated security notes as part of its July 2024 patch day, including two notes dealing with high-severity vulnerabilities.

The most severe of the issues is a missing authorization check in PDCE (Product Design Cost Estimating), a lifecycle costing tool. Tracked as CVE-2024-39592 (CVSS score of 7.7/10), the bug could allow an attacker to read generic table data, according to SAP.

The second high-priority note resolves CVE-2024-39597 (CVSS score of 7.2/10), an improper authorization check in SAP Commerce that could provide attackers with access to improperly configured sites.

“An attacker can misuse the forgotten password functionality to gain access to a site for which early login and registration is activated, without requiring the merchant to approve the account beforehand,” according to a separate advisory from application security firm Onapsis.

“If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites,” the company added.

Of the remaining SAP security notes (PDF), 15 are described as medium-severity issues in Landscape Management, Document Builder, NetWeaver, CRM, Business Warehouse, S/4HANA, Business Workflow, GUI for Windows, Transportation Management, and Enable Now.

The patched vulnerabilities include information disclosure issues, unrestricted file uploads, missing authorization checks, cross-site scripting (XSS), and server-side request forgery (SSRF) bugs.

SAP makes no mention of any of these vulnerabilities being exploited in the wild. However, users are advised to update their appliances as soon as possible, as attackers are known to have targeted security defects in SAP products for which patches had been released.

Advertisement. Scroll to continue reading.

Related: SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver

Related: Fortra Patches Critical SQL Injection in FileCatalyst Workflow

Related: Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira

Related: F5 Patches Dangerous Vulnerabilities in BIG-IP Next Central Manager

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights