The most important of the newly released security notes patches a missing authorization check in SAP NetWeaver Application Server for Java. Tracked as CVE-2021-37535, the vulnerability has a CVSS score of 10. Two other critical vulnerabilities (CVSS score of 9.9) were addressed with Hot News security notes for NetWeaver. These include CVE-2021-38163, an unrestricted file…

Tracked as CVE-2021-21477 and featuring a CVSS score of 9.9, the critical issue could be abused for remote code execution, SAP explains in its advisory. The vulnerability impacts SAP Commerce if the rule engine extension is installed. Meant to define and execute rules to manage decision-making scenarios, the rule engine uses a ruleContent attribute offering…

The most important of these is a cross-site scripting (XSS) flaw in the Knowledge Management component of NetWeaver. Tracked as CVE-2020-6284 and featuring Hot News priority, the issue has a CVSS score of 9. A default component of all SAP Enterprise Portal installations, Knowledge Management allows users to manage data sources in multiple formats, to…

Vulnerability Impacts Web-Exposed SAP Systems

The bug could be exploited by an external attacker to remotely obtain the list of SAP users from the system, Quenta Solutions’ Sergiu Popa, who SAP acknowledged to have reported the vulnerability, says. “This service is actually an example of application to create a time-off request. This service should not be activated in production systems,…