- 175/2024
- High
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP NetWeaver AS Java, ABAP platform, SAP Financial Consolidation, SAP Document Builder, SAP S/4HANA, SAP CRM (WebClient UI), SAP BW/4HANA Transformation and DTP, SAP Student Life Cycle Management, SAP BusinessObjects Business Intelligence Platform.
The attacker could exploit some of these vulnerabilities to obtain sensitive information, perform cross-site scripting, conduct denial of service attacks, or gain elevated privileges to the affected products.
Sample of the addressed vulnerabilities:
1. SAP Financial Consolidation Cross-Site Scripting Vulnerability (CVE-2024-37177):
- CVSS: 8.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross Site Scripting
2. SAP NetWeaver AS Java Denial of Service Vulnerability (CVE-2024-34688):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.