Enterprise software giant SAP has released a set of critical security patches as part of its June 2024 Security Patch Day. These updates include two high-priority notes addressing vulnerabilities such as cross-site scripting (XSS) in Financial Consolidation and a denial-of-service (DoS) issue in SAP NetWeaver AS Java.
The XSS vulnerabilities in Financial Consolidation, tracked as CVE-2024-37177 with a CVSS score of 8.1, allow attackers to manipulate web application content, posing risks to confidentiality and integrity. Meanwhile, CVE-2024-34688, rated at 7.5 CVSS, addresses a DoS flaw in NetWeaver AS Java, potentially disrupting service availability by exploiting unrestricted access to Meta Model Repository services.
Additional security notes cover medium-severity vulnerabilities across SAP platforms like NetWeaver, ABAP, S/4HANA, and CRM, affecting functionalities such as document handling and data processing. These vulnerabilities could lead to scenarios like denial of service, arbitrary file uploads, information disclosure, or data manipulation.
Despite no known exploits in the wild, SAP advises prompt installation of these updates to safeguard against potential security breaches. Organizations using SAP software are encouraged to prioritize patch deployment to mitigate risks associated with these vulnerabilities.
Reference:
