Enterprise software maker SAP on Tuesday announced the release of eight new and two updated security notes as part of its November 2024 security updates.
Marked as ‘high priority’, the second most severe rating in SAP’s playbook, the most important of these notes resolves a high-severity vulnerability in Web Dispatcher, the appliance that distributes incoming requests to the adequate SAP instances.
In its advisory, SAP describes the security defect, which is tracked as CVE-2024-47590 (CVSS score of 8.8), as a cross-site scripting (XSS) bug.
According to enterprise security firm Onapsis, the flaw can be exploited by unauthenticated attackers by creating a malicious page to execute content in the victim’s browser. The vulnerability can be exploited for both XSS and server-side request forgery (SSRF) attacks, leading to remote code execution on the server.
“This can lead to a full compromise of confidentiality, integrity, and availability. The vulnerability only affects customers who have the Admin UI of SAP Web Dispatcher enabled,” Onapsis explains.
SAP customers are advised to apply the security note to address the issue, but can also mitigate the risk by disabling the Admin UI, either through file deletion or profile parameter changes, or by completely removing the administrative role from all users.
On Tuesday, SAP also updated a high priority note initially released on July 2024 patch day, which resolves a missing authorization check in Product Design Cost Estimating (PDCE), tracked as CVE-2024-39592.
“A remote-enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus poses the system’s confidentiality at high risk. The patch disables the vulnerable function module. In the update note a patch was added for software component SEM-BW 600,” Onapsis notes.
The remaining eight security notes resolve medium-severity flaws in Host Agent, NetWeaver, Cash Management (Cash Operations), and Bank Account Management.
SAP customers are advised to update their applications as soon as possible. Although SAP makes no mention of any of these vulnerabilities being exploited in the wild, threat actors are known to have targeted SAP vulnerabilities for which patches have been released.
Related: Veeam Patches High-Severity Vulnerability as Exploitation of Previous Flaw Expands
Related: FoxIt Patches Code Execution Flaws in PDF Tools
Related: AutomationDirect Patches Vulnerabilities in PLC, HMI Products
Related: HPE Patches Critical Vulnerabilities in Aruba Access Points