SAP Patches Multiple Vulnerabilities in November 2024 Security Patch Day
SAP has released eight new security notes and two updates to previously released notes in its November 2024 Security Patch Day, addressing critical vulnerabilities across various products.
The security notes cover a range of vulnerabilities, including cross-site scripting (XSS), missing authorization checks, local privilege escalation, information disclosure, and NULL pointer dereference. The updates address vulnerabilities in products such as SAP Web Dispatcher, SAP PDCE, SAP NetWeaver AS Java, SAP Host Agent, SAP NetWeaver Application Server for ABAP and ABAP Platform, SAP NetWeaver Java (Software Update Manager), and SAP Cash Management.
Among the released notes, CVE-2024-47590, an XSS vulnerability in SAP Web Dispatcher, is rated as High priority with a CVSS score of 8.8. This vulnerability could allow attackers to inject malicious scripts into web pages viewed by users, potentially leading to data theft or session hijacking.
Another High priority vulnerability, CVE-2024-39592, relates to a missing authorization check in SAP PDCE and has a CVSS score of 7.7. This vulnerability could allow unauthorized access to sensitive data or functionalities.
SAP strongly recommends that organizations apply these patches promptly to secure their systems against potential exploitation. Administrators are encouraged to review each Security Note and update SAP products to the latest patched versions to mitigate risks.
For detailed information, users can access SAP’s official security portal, where each vulnerability is documented with further remediation steps. By staying proactive with these updates, organizations can protect their SAP infrastructure from unauthorized access, data breaches, and other security threats.
Related Posts:
- SAP Patches Critical BusinessObjects Vulnerability with October Security Updates
- SAP, McAfee, and Symantec are letting the Russia review their source code
- SAP Patches Critical Vulnerabilities in December Update
- SAP Security Patch Day – August 2024: CVE-2024-41730 (CVSS 9.8) Vulnerability Exposes Systems to Full Control Exploit
