Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches High-Severity Vulnerability in Web Dispatcher

SAP has released eight new security notes on November 2024 patch day, including one addressing a high-severity vulnerability in Web Dispatcher.

SAP vulnerability patches

Enterprise software maker SAP on Tuesday announced the release of eight new and two updated security notes as part of its November 2024 security updates.

Marked as ‘high priority’, the second most severe rating in SAP’s playbook, the most important of these notes resolves a high-severity vulnerability in Web Dispatcher, the appliance that distributes incoming requests to the adequate SAP instances.

In its advisory, SAP describes the security defect, which is tracked as CVE-2024-47590 (CVSS score of 8.8), as a cross-site scripting (XSS) bug.

According to enterprise security firm Onapsis, the flaw can be exploited by unauthenticated attackers by creating a malicious page to execute content in the victim’s browser. The vulnerability can be exploited for both XSS and server-side request forgery (SSRF) attacks, leading to remote code execution on the server.

“This can lead to a full compromise of confidentiality, integrity, and availability. The vulnerability only affects customers who have the Admin UI of SAP Web Dispatcher enabled,” Onapsis explains.

SAP customers are advised to apply the security note to address the issue, but can also mitigate the risk by disabling the Admin UI, either through file deletion or profile parameter changes, or by completely removing the administrative role from all users.

On Tuesday, SAP also updated a high priority note initially released on July 2024 patch day, which resolves a missing authorization check in Product Design Cost Estimating (PDCE), tracked as CVE-2024-39592.

“A remote-enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus poses the system’s confidentiality at high risk. The patch disables the vulnerable function module. In the update note a patch was added for software component SEM-BW 600,” Onapsis notes.

Advertisement. Scroll to continue reading.

The remaining eight security notes resolve medium-severity flaws in Host Agent, NetWeaver, Cash Management (Cash Operations), and Bank Account Management.

SAP customers are advised to update their applications as soon as possible. Although SAP makes no mention of any of these vulnerabilities being exploited in the wild, threat actors are known to have targeted SAP vulnerabilities for which patches have been released.

Related: Veeam Patches High-Severity Vulnerability as Exploitation of Previous Flaw Expands

Related: FoxIt Patches Code Execution Flaws in PDF Tools

Related: AutomationDirect Patches Vulnerabilities in PLC, HMI Products

Related: HPE Patches Critical Vulnerabilities in Aruba Access Points

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.