Security News > 2020 > June > Critical Vulnerability Patched in SAP Commerce
The most important of these patches are two Hot News Security Notes addressing critical vulnerabilities in SAP Liquidity Management for Banking and SAP Commerce.
Also rated Hot News and featuring a CVSS score of 9.8 is a Security Note addressing hard-coded user credentials in SAP Commerce and SAP Commerce Data Hub.
Existing SAP Commerce installations remain vulnerable even after the update, as the patch does not remove the default passwords from built-in accounts.
Four High Priority Security Notes were included in this month's SAP Security Patch Day: information disclosure in SAP Commerce, missing XML validation in SAP Solution Manager, missing authorization check in SAP SuccessFactors Recruitment Management, and server-side request forgery in SAP NetWeaver AS ABAP. All of the remaining Security Notes that SAP included in this month's set of patches have been rated Medium Priority: authentication bypass in standalone clients connecting to NetWeaver AS Java via the P4 protocol, missing authorization checks in Netweaver AS ABAP and ERP, incomplete XML validation in Solution Manager, cross-site scripting in Netweaver, URL redirections in Fiori for S/4HANA, and information disclosures in Business One and Business Objects.
SAP released updates for a Security Note published on the July 2019 Security Patch Day, which addresses a content injection vulnerability in SAP Gateway.
News URL
Related news
- Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks (source)
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns (source)
- PoC for critical SolarWinds Web Help Desk vulnerability released (CVE-2024-28987) (source)
- Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)
- New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution (source)
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware (source)