"SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver"
Enterprise software maker SAP recently released ten new and two updated security notes as part of its June 2024 Security Patch Day. The latest patches include two high-priority security notes, the most severe of which addresses a cross-site scripting (XSS) bug in Financial Consolidation. The first high-priority security note addresses two XSS flaws in SAP’s product, collectively tracked as CVE-2024-37177 (CVSS score of 8.1). The second high-priority note resolves a denial-of-service (DoS) vulnerability in SAP NetWeaver AS Java, tracked as CVE-2024-34688 (CVSS score of 7.5). Eight of the remaining security notes released on SAP’s June 2024 Security Patch Day address medium-severity vulnerabilities in the NetWeaver and ABAP platform, Document Builder, S/4HANA, CRM, BW/4HANA Transformation and DTP, Student Life Cycle Management, and NetWeaver AS Java products. SAP noted that successfully exploiting these issues could result in DoS conditions, arbitrary file uploads, information disclosure, or data tampering. The remaining two security notes, one new and one updated, resolve low-severity issues in BusinessObjects Business Intelligence Platform and Central Finance Infrastructure Components. SAP did not mention if any of these vulnerabilities are being exploited in the wild.