German enterprise software giant SAP has announced the release of 14 new security notes and three updates to previously released notes as part of its May 2024 Security Patch Day.
The most significant new note addresses a critical vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform, tracked as CVE-2024-33006, with a CVSS score of 9.6. This vulnerability allows an unauthenticated attacker to upload a malicious file to the server, potentially leading to complete system compromise when accessed by a victim.
The CVE-2024-33006 flaw affects the SAP_BASIS versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 758.
Two critical vulnerabilities, identified as CVE-2019-17495 and CVE-2022-36364, were also addressed in SAP CX Commerce. These vulnerabilities could pose significant risks if left unpatched, underscoring the need for immediate updates.
SAP updates a ‘Hot News’ security note for the Chromium browser component within SAP Business Client. Two medium-priority notes received updates this month, dealing with vulnerabilities in the Enterprise Services Repository of SAP Process Integration and SAP Process Integration itself.
A high-priority note was released to address CVE-2024-28165, a cross-site scripting (XSS) vulnerability in the SAP BusinessObjects Business Intelligence Platform, with a CVSS score of 8.1. This vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users, leading to potential data breaches.
The remaining notes address various medium- and low-severity vulnerabilities across a range of SAP products, including:
- SAP S/4HANA
- SAP My Travel Requests
- SAP Replication Server
- SAP BusinessObjects Business Intelligence Platform
- SAP Global Label Management
- SAP Bank Account Management
- SAP UI5
Organizations using SAP products are strongly encouraged to apply these patches promptly to mitigate potential risks and ensure the integrity of their systems.
