SAP Patches for XSS, Log Injection & Other Vulnerabilities


SAP has released the security patches for the Patch Day of October 2023, in which they release new Security Notes and 2 updates to the previously released Security Notes. 

There were 7 security vulnerabilities, including Cross-site scripting (XSS), Missing XML validation, Server-side Request Forgery, Missing Authorization check, Log injection, and Information disclosure vulnerabilities, that were fixed as part of the patch.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Vulnerabilities Discovered

CVE-2023-42474: Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence

This vulnerability existed in the SAP BusinessObjects Web Intelligence due to a vulnerable URL parameter that could allow a threat actor to send a malicious link to a victim and extract sensitive information. The severity for this vulnerability was given as 6.8 (Medium).

CVE-2023-40310: Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import)

This vulnerability existed due to insufficient validation of BPMN2 XML documents imported from an untrusted source, resulting in URLs of external entities in the BPMN2 file being accessed. The severity for this vulnerability has been given as 6.5 (Medium).

CVE-2023-42477: Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)

This vulnerability could allow a threat actor to send a crafted request from a vulnerable web application, resulting in a limited impact on the confidentiality and integrity of the application. The severity for this vulnerability has been given as 6.5 (Medium).

CVE-2023-42473: Missing Authorization Check In S/4HANA (Manage Withholding Tax Items)

This vulnerability exists due to the lack of authorization checks for an authenticated user, leading to the escalation of privileges on the application. The severity for this vulnerability has been given as 5.4 (Medium).

CVE-2023-31405: Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)

This vulnerability was previously addressed in the SAP security patch of July 2023. However, as part of the new release notes, there has been a new update to the vulnerability. The severity for this vulnerability was given as 5.3 (Medium).

CVE-2023-41365: Information Disclosure vulnerability in SAP Business One (B1i)

This vulnerability allows an authenticated threat actor to extract details of the fault message stack trace to conduct an XXE injection, leading to information disclosure. The severity of this vulnerability has been given as 4.3 (Medium).

CVE-2023-42475: Information Disclosure Vulnerability in Statutory Reporting

This vulnerability was due to a vulnerable file storage location, which could enable a low-privileged attacker to read server files. The severity of this vulnerability has been given as 4.3 (Medium).

Multiple SAP products were affected by these vulnerabilities, which were patched as part of this security release. A complete release note has been published by SAP, which provides detailed information on the affected products and other information.

Users of the products are recommended to upgrade to the latest versions of the product to prevent these vulnerabilities from getting exploited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.



Source link