- 254/2023
- Medium
SAP has released security updates to address several vulnerabilities affecting multiple products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP BusinessObjects Web Intelligence, SAP PowerDesigner Client, SAP NetWeaverAS Java, SAP Business One (B1i) and SAP S/4HANA Core, S/4HANA (Manage Withholding Tax Items), SAP NetWeaver AS for Java (Log Viewer).
The attacker could exploit some of these vulnerabilities to obtain information, perform cross-site scripting, or cause a denial of service attack.
Sample of the addressed vulnerabilities:
1. Cross-Site Scripting Vulnerability in SAP BusinessObjects Web Intelligence (CVE-2023-42474):
- CVSS: 6.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Cross-site Scripting
2. Missing XML Validation Vulnerability in SAP PowerDesigner Client (BPMN2 import) (CVE-2023-40310):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Denial of Service
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.