SAP Patches High-Severity Vulnerabilities in PDCE, Commerce

Share This Post

Enterprise software maker SAP on Tuesday announced the release of 16 new and two updated security notes as part of its July 2024 patch day, including two notes dealing with high-severity vulnerabilities.

The most severe of the issues is a missing authorization check in PDCE (Product Design Cost Estimating), a lifecycle costing tool. Tracked as CVE-2024-39592 (CVSS score of 7.7/10), the bug could allow an attacker to read generic table data, according to SAP.

The second high-priority note resolves CVE-2024-39597 (CVSS score of 7.2/10), an improper authorization check in SAP Commerce that could provide attackers with access to improperly configured sites.

“An attacker can misuse the forgotten password functionality to gain access to a site for which early login and registration is activated, without requiring the merchant to approve the account beforehand,” according to a separate advisory from application security firm Onapsis.

“If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites,” the company added.

Of the remaining SAP security notes (PDF), 15 are described as medium-severity issues in Landscape Management, Document Builder, NetWeaver, CRM, Business Warehouse, S/4HANA, Business Workflow, GUI for Windows, Transportation Management, and Enable Now.

The patched vulnerabilities include information disclosure issues, unrestricted file uploads, missing authorization checks, cross-site scripting (XSS), and server-side request forgery (SSRF) bugs.

SAP makes no mention of any of these vulnerabilities being exploited in the wild. However, users are advised to update their appliances as soon as possible, as attackers are known to have targeted security defects in SAP products for which patches had been released.

Advertisement. Scroll to continue reading.

Related: SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver

Related: Fortra Patches Critical SQL Injection in FileCatalyst Workflow

Related: Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira

Related: F5 Patches Dangerous Vulnerabilities in BIG-IP Next Central Manager

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .