- 143/2024
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP Business Client, SAP Commerce, SAP NetWeaver Application Server ABAP and ABAP Platform, SAP BusinessObjects, SAP S/4HANA (Document Service Handler for DPS), My Travel Requests, SAP Replication Server, SAP Bank Account Management, SAP Enable Now and SAP Global Label Management (GLM).
The attacker could exploit some of these vulnerabilities to gain access, obtain sensitive information, perform cross-site scripting attacks, or gain elevated privileges to the affected products.
Sample of the addressed vulnerabilities:
1. SAP NetWeaver Application Server ABAP and ABAP Platform File Upload Vulnerability (CVE-2024-33006):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
2. SAP Business Objects Business Intelligence Platform Cross-site Scripting Vulnerability (CVE-2024-28165):
- CVSS: 8.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.