SAP Security Notes, September 2024
Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are detailed in the note. The note includes patches for both the cloud and on-premise editions. A workaround is also included in the note if the corrections can not be implemented within a reasonable timeframe.
Note 3505503 addresses a Cross-Site Scripting (XSS) vulnerability in the logon application of SAP NetWeaver Application Server (AS) Java. Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. The solution included in the note encodes parameters to address the vulnerability.
Notes 3501359 and 3498221 patch Cross-Site Scripting vulnerabilities in SAP CRM and SAP Enterprise Portal.
Note 3488039 deals with multiple missing authorizations in SAP NetWeaver Application Server (AS) ABAP and ABAP Platform. The authorizations impact function modules in function group SMTR_NAVIGATION_MODULES_BX. As a workaround, you may withdraw permission S_RFC with field RFC_TYPE with prefixed value for SMTR_NAVIGATION_MODULES_BX or field RFC_NAME with value of the function modules of the function group SMTR_NAVIGATION_MODULES_BX.