This month, eight new SAP patches were released including six to fix XSS vulnerabilities.
A total of 13 Security Notes, comprised of eight new and five updates from previously released security patches, were published by SAP this week. The June 2023 Security Patch Day underscored Cross-Site Scripting (XSS) as the most popular vulnerability seen in different components including one High Priority Security note in SAP Knowledge Warehouse.
Every second Tuesday of the month, the SAP Product Security Response Team releases SAP Security Notes to help customers urgently apply patches on a priority to protect their SAP landscape. External researchers and security IT professionals like Onapsis work together with SAP to continuously discover and solve security vulnerabilities to help maintain the security and safety of its customers’ and partners’ SAP systems.
SAP Patches Several XSS Vulnerabilities
On the 13th of June, four High Priority, eight Medium Priority, and one Low Priority Security notes were announced by SAP. Onapsis Research Labs, a team of security experts with in-depth knowledge and experience in security and threat intel affecting business-critical applications, contributed to fixing one of the critical vulnerabilities affecting the Transport Management System. This Security Note is the 37th patch that Onapsis has contributed to SAP this year.
There is no Hot News published this month.
High Priority Vulnerabilities
Four SAP Security Notes were categorized as High Priority, including two Cross-Site Scripting (XSS) vulnerabilities.
Note #3102769, with the Highest CVSS score of 8.8, is an updated patch for XSS vulnerability in SAP Knowledge Warehouse.
Note #334285, tagged with a CVSS score of 8.2, fixes a new Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management).
Note #3301942, given a CVSS 7.9 score, patches Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing.
Note #3326210, tagged with CVSS 7.1 score, is an updated patch for an identified vulnerability in May 2023 SAP Patch Day, the Improper Neutralization of Input in SAP.
Medium Priority Vulnerabilities
Seven vulnerabilities received a Medium Priority category, six of which are patches for Cross-Site Scripting (XSS) vulnerabilities.
Note #3142092, rated 6.5 CVSS score, patches Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier, and Customer).
Note #3318657, tagged with a CVSS score of 6.4, is another security patch for a XSS vulnerability, specifically, in SAP NetWeaver (Design Time Repository).
Note #2826092, given a 6.1 CVSS score, also patches a new XSS vulnerability, this time, in SAP CRM ABAP (Grantor Management)
Note #3319400, with a CVSS score of 6.1, is an updated patch for the XSS vulnerability in the SAP BusinessObjects Business Intelligence platform
Note #3331627, rated CVSS 6.1 score, fixes XSS vulnerability in SAP NetWeaver (Enterprise Portal)
Note #3322800, tagged with a CVSS score of 6.1, is an Update 1 to security note 3315971 – [CVE-2023-30742] XSS vulnerability in SAP CRM (WebClient UI)
Note #3315971, with a CVSS score of 6.1, is an update to a previous XSS vulnerability in SAP CRM (WebClient UI)
Low Priority Vulnerability
Note #3325642, tagged as the only Low Priority vulnerability this month with a CVSS score of 2.7, fixes an issue in the Transport Management System which may result in Denial of Service in SAP NetWeaver (Change and Transport System). SAP and Onapsis worked together to identify and help users solve this vulnerability.