Applexus Technologies Logo
Absoft, now part of Applexus
Learn more about Applexus
Click here to learn more about Applexus
Security Notes Icon

SAP Security Notes Review: October 2023

SAP Support
SAP Technical Services
SAP Managed Service
Blog Post
SAP Application Support
SAP Notes

Share This Post

Overview

SAP’s security patch day for October 2023 has seen the release of seven OSS SAP security notes. In summary, one note has been classified as critical and six as medium based on CVSS v3.0 Rating

CVSS v3 Scores for October 23 Security Notes, bar chart

Two notes have been released for:

  • SAP NetWeaver AS JAVA

In addition, single notes have been released for:

  • SAP BusinessObjects
  • SAP PowerDesigner
  • SAP Business One
  • SAP S/4HANA
  • SAP Business Client
Oct23 security notes products category

Vulnerabilities: October 2023 Highlights

[CVE-2023-42474] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence (SAP Note 3372991) 

SAP BusinessObjects Web Intelligence does not sufficiently encode user-controlled inputs, thus allowing an attacker to send a malicious link to a user. Accordingly, this link could then be used to retrieve sensitive information.

[CVE-2023-40310] Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import) (SAP Note 3357154)

Due to insufficiencies in the SAP PowerDesigner Client, BPMN2 XML documents imported from an untrusted source are not adequately validated. As a result, URLs of external entities in a BPMN2 file, although not used, would be accessed during an import. A successful attack could consequently impact the availability of the SAP PowerDesigner Client.

[CVE-2023-41365] Information Disclosure vulnerability in SAP Business One (B1i) (SAP Note 3338380)

SAP Business One (B1i) allows an unauthorised attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Cloud Services 1
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services

Read Our Latest Articles

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Contact Us
Colleagues at work at Absoft SAP Consultancy

Company registration number: SC129581

Registered office: Davidson House, Campus 1, Aberdeen Innovation Park, Bridge of Don, Aberdeen, AB22 8GT

Contact
Connect
SAP Certified PCOE logo
Living Wage Employer

Is Your Business Ready to Embark on an S/4HANA Journey?

Jump Start Your Implementation with

Begin Your CeleRITE Assessment Today
celerite assessments2 (1)