Overview
SAP’s security patch day for June 2023 has seen the release of 11 new OSS SAP security notes. Three notes have been classified as high, seven as medium and one as low, based on CVSS v3.0 Rating.
Three notes have been released for SAP NetWeaver, two for SAP CRM, and two for SAPUI5. Single notes have been released for SAP BusinessObjects, SAP Knowledge Warehouse, SAP Business Client, SAP CRM ABAP and SAP S/4HANA.
Vulnerabilities: June 2023 Highlights
[CVE-2023-30743] Improper Neutralisation of Input in SAPUI5 (SAP Note 3326210)
Due to improper neutralisation of input in SAPUI5, sap.m.FormattedText SAPUI5 control allows the injection of untrusted CSS, which blocks user interaction with the application. Further, in the absence of URL validation by the application, the vulnerability could lead to the attacker reading or modifying user information through a phishing attack.
[CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (SAP Note 3322800)
Supplementary to the fix provided in 3315971, an attacker could lure a victim to click a malicious URL, which executes a script in the victim user’s session. The attacker could then modify or read the information from the victim’s session.
[CVE-2023-32114] Denial of Service in SAP NetWeaver (SAP Note 3325642)
SAP NetWeaver Change and Transport System allow an authenticated user with admin privileges to run a malicious benchmark program repeatedly. Intended to slow down or disable the server, the script may have a limited impact on the application’s availability. Thankfully, there is no impact on its confidentiality and integrity.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
