SAP Security Notes Review: August 2023

[CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner (SAP Note 3341460)

Multiple security vulnerabilities have been identified in PowerDesigner Proxy. The first concerns improper access control hence allowing an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. Further, the second potentially allows an attacker to access password hashes from the backend database.

[CVE-2023-39437] Cross-Site Scripting (XSS) vulnerability in SAP Business One (SAP Note 3358300)

An attacker could insert malicious code into the content of a web page or application and deliver it to the client due to a vulnerability in SAP Business One. This could subsequently lead to harmful actions affecting the Confidentiality, Integrity, and Availability of the application.

 [CVE-2023-39439] Improper authentication in SAP Commerce Cloud (SAP Note 3346500)

Certain configurations of SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication hence allowing users can log into the system without a passphrase.

[CVE-2023-37491] Improper Authorization check vulnerability in SAP Message Server (SAP Note 3344295)

Authenticated malicious users can bypass the ACL (Access Control List) of the SAP Message Server under certain conditions. As a result, they can enter the network of the SAP systems served by the attacked server.