SAP Security Notes, February 2024
Hot news note 3420923 patches a critical code injection vulnerability in the Web Survey component of Application Basis. Prerequisite note 1110803 is required to apply the correction for versions 700-710 and note 1354949 is required for version 711. As a workaround, remote calls to function modules of CA-SUR can be restricted using authorization object S_RFC.
Note 3417627 addresses a high-risk cross-site scripting vulnerability in the User Admin Application of SAP NetWeaver Application Server Java (AS Java). The vulnerability is a side effect of improper encoding and validation introduced with note 3251396.
Note 3426111 secures an XML parser in the Guided Procedures component of AS Java to patch an XML External Entity (XXE) injection vulnerability. The vulnerability can be exploited by threat actors to read sensitive files. The note includes details of a workaround that requires disabling the vulnerable caf-eu-gp-model-iforms-eap application.
Notes 3424610 and 3410875 deal with broken authentication and cross-site scripting vulnerabilities in the SAP Cloud Connector and SAP CRM, respectively.