- 133/2023
- High
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (5) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP Knowledge Warehouse, SAP UI5 Variant Management, SAP Plant Connectivity, SAPUI5, SAP S/4HANA, SAP NetWeaver (Design Time Repository), SAP NetWeaver Enterprise Portal, SAP CRM ABAP (Grantor Management), SAP CRM (WebClient UI), and SAP BusinessObjects Business Intelligence Platform.
The attacker could exploit some of these vulnerabilities to gain access, obtain sensitive information, cause denial of service attacks, perform cross-site scripting, or SQL injection.
Sample of the addressed vulnerabilities:
Stored Cross-Site Scripting Vulnerability in SAP UI5 Variant Management (CVE-2023-33991):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Cross-Site Scripting
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.