SAP Security Notes, March 2019
Note 2764283 addresses an XML External Entity vulnerability in SAP HANA extended application services (XS), advanced. HANA XS does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space. Successful exploitation of the vulnerability could lead to the leading of arbitrary files in SAP servers or denial of service through resource exhaustion. Note that exploits targeting the vulnerability require either administrative or developer privileges to the SAP space of the XS advanced service. SAP recommends updating to XS advanced runtime version 1.0.102 or later.
Note 2689925 deals with a Cross-Site Scripting (XSS) Vulnerability in the SAML 1.1 SSO Demo App in the SAP NetWeaver Application Server Java. The app does not does sufficiently encode user-controlled inputs. This could lead to unauthorized changes to web content and the theft of user credentials. The vulnerability impacts versions 7.10 – 7.50 of the software component J2EE-APPS. SAP recommends upgrading the component to the relevant patch level for each version specified in Note 2689925.
Note 2524203 introduces a switchable authorization check to secure access to the function module FKK_DOCUMENT_ READ used to read documents in Accounts Receivable and Payable.
Notes 2662687, 2727689, 2754235, 2746946, 2652102 and 2250863 patch insufficient or missing authorization checks in areas such as SAP Enterprise Financial Services, NetWeaver Application Server ABAP, S/4HANA, Convergent Invoicing and the Payment Engine.