Security News > 2020 > June > Critical Vulnerability Patched in SAP Commerce

The most important of these patches are two Hot News Security Notes addressing critical vulnerabilities in SAP Liquidity Management for Banking and SAP Commerce.

Also rated Hot News and featuring a CVSS score of 9.8 is a Security Note addressing hard-coded user credentials in SAP Commerce and SAP Commerce Data Hub.

Existing SAP Commerce installations remain vulnerable even after the update, as the patch does not remove the default passwords from built-in accounts.

Four High Priority Security Notes were included in this month's SAP Security Patch Day: information disclosure in SAP Commerce, missing XML validation in SAP Solution Manager, missing authorization check in SAP SuccessFactors Recruitment Management, and server-side request forgery in SAP NetWeaver AS ABAP. All of the remaining Security Notes that SAP included in this month's set of patches have been rated Medium Priority: authentication bypass in standalone clients connecting to NetWeaver AS Java via the P4 protocol, missing authorization checks in Netweaver AS ABAP and ERP, incomplete XML validation in Solution Manager, cross-site scripting in Netweaver, URL redirections in Fiori for S/4HANA, and information disclosures in Business One and Business Objects.

SAP released updates for a Security Note published on the July 2019 Security Patch Day, which addresses a content injection vulnerability in SAP Gateway.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/xeJ6bGzrZYs/critical-vulnerability-patched-sap-commerce