SAP Security Notes, September 2021
Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but a temporary workaround is outlined in note 3093977.
Note 3081888 deals with a code Injection vulnerability for XMLForms in SAP NetWeaver Knowledge Management. The note includes a patch for the XMLToolkit parser to prevent the execution of malicious XSL stylesheet files containing scripts with OS-level commands.
Note 3073891 patches multiple OS command injection and reflected Cross-Site Scripting (XSS) vulnerabilities in SAP Contact Center. The vulnerabilities are caused by improper encoding of user input.
Note 3089831 introduces input validation to protect the remote execution of vulnerable function modules that could be exploited to gain access to backend databases. The note includes instructions for blocking remote calls to the impacted function modules using Unified Connectivity (UCON) as a workaround.
Note 3084487 removes a vulnerable component of SAP NetWeaver Visual Composer that could be exploited by attackers to upload malicious files that run operating system commands with the privileges of the Java Server process. The commands could be used to read and modify data or provoke a denial of service.