SAP Patches for XSS, Log Injection & Other Vulnerabilities
SAP has released the safety patches for the Patch Day of October 2023, in which they start fresh Safety Notes and 2 updates to the previously released Safety Notes.
There safe been 7 safety vulnerabilities, along with Wicked-characteristic scripting (XSS), Missing XML validation, Server-aspect Quiz Forgery, Missing Authorization take a look at, Log injection, and Records disclosure vulnerabilities, that safe been mounted as segment of the patch.
Deploy Developed AI-Powered Email Safety Solution
Imposing AI-Powered Email safety alternatives “Trustifi” can obtain your limited enterprise from on the present time’s most terrible electronic mail threats, such as Email Monitoring, Blockading, Modifying, Phishing, Epic Hold Over, Industry Email Compromise, Malware & Ransomware
Vulnerabilities Chanced on
CVE-2023-42474: Wicked-Situation Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence
This vulnerability existed in the SAP BusinessObjects Web Intelligence resulting from a susceptible URL parameter that can presumably presumably presumably allow a menace actor to send a malicious link to a victim and extract tranquil data. The severity for this vulnerability used to be given as 6.8 (Medium).
CVE-2023-40310: Missing XML Validation vulnerability in SAP PowerDesigner Consumer (BPMN2 import)
This vulnerability existed resulting from inadequate validation of BPMN2 XML paperwork imported from an untrusted supply, leading to URLs of external entities in the BPMN2 file being accessed. The severity for this vulnerability has been given as 6.5 (Medium).
CVE-2023-42477: Server-Facet Quiz Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)
This vulnerability would possibly maybe presumably presumably well allow a menace actor to send a crafted ask of from a susceptible net application, leading to a restricted influence on the confidentiality and integrity of the application. The severity for this vulnerability has been given as 6.5 (Medium).
CVE-2023-42473: Missing Authorization Take a look at In S/4HANA (Organize Withholding Tax Items)
This vulnerability exists resulting from the dearth of authorization assessments for an authenticated particular person, leading to the escalation of privileges on the application. The severity for this vulnerability has been given as 5.4 (Medium).
CVE-2023-31405: Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
This vulnerability used to be previously addressed in the SAP safety patch of July 2023. Alternatively, as segment of the fresh start notes, there has been a fresh replace to the vulnerability. The severity for this vulnerability used to be given as 5.3 (Medium).
CVE-2023-41365: Records Disclosure vulnerability in SAP Industry One (B1i)
This vulnerability permits an authenticated menace actor to extract crucial points of the fault message stack worth to conduct an XXE injection, leading to data disclosure. The severity of this vulnerability has been given as 4.3 (Medium).
CVE-2023-42475: Records Disclosure Vulnerability in Statutory Reporting
This vulnerability used to be resulting from a susceptible file storage characteristic, which would possibly maybe presumably presumably well allow a low-privileged attacker to read server recordsdata. The severity of this vulnerability has been given as 4.3 (Medium).
Extra than one SAP products safe been tormented by these vulnerabilities, which safe been patched as segment of this safety start. A total start reward has been published by SAP, which offers detailed data on the affected products and other data.
Users of the products are urged to toughen to basically the most up-to-date variations of the product to pause these vulnerabilities from getting exploited.
Source credit : cybersecuritynews.com
