SAP Security Patches

SQL Injection in SAP S/4HANA Enterprise Search

Unsanitised user input is concatenated directly into SQL queries in the Enterprise Search component, allowing an authenticated attacker to inject arbitrary SQL statements. Impact is primarily on confidentiality and availability — unauthorised database access and information disclosure are possible.

OS Command Injection in SAP NetWeaver Application Server ABAP

OS command injection vulnerability in SAP NetWeaver AS ABAP affecting an extremely broad range of BASIS versions. Allows execution of operating system commands under specific conditions.

Missing Authorization Check in SAP S/4HANA Condition Maintenance

Missing authorisation check in the Condition Maintenance functionality of S/4HANA allows an authenticated user to access or modify pricing condition data beyond their intended permissions.

Content Spoofing in SAPUI5 Search UI

Content spoofing vulnerability in the SAPUI5 Search UI component allows an attacker to craft URLs that display misleading content within the search interface, potentially used as a phishing vector.

Reflected XSS in SAP NetWeaver Application Server ABAP

Reflected cross-site scripting vulnerability in SAP NetWeaver AS ABAP. An attacker can craft a URL that, when accessed by a victim, executes scripts in the browser context of the victim.

Code Injection in SAP Application Server ABAP

Code injection vulnerability in SAP Application Server ABAP affecting a broad range of BASIS versions. Allows an attacker under specific conditions to inject and execute arbitrary code.

SQL Injection in SAP HANA HDI Deploy Library

SQL injection vulnerability in the SAP HANA Deployment Infrastructure (HDI) Deploy Library. Limited exploit conditions reduce severity to low.

Missing Authentication Check in SAP Commerce Cloud Configuration Upload

An overly permissive Spring Security configuration with incorrect rule ordering allows unauthenticated users to access the configuration upload functionality. An attacker can upload malicious configuration that triggers code injection, resulting in arbitrary server-side code execution. The fix requires a rebuild and redeployment of the affected application.

OS Command Injection in SAP Forecasting & Replenishment

Insufficient control over operating system commands in five function modules allows an authenticated attacker with administrative authorisations to execute arbitrary OS commands. The affected functions are not remote-enabled, but exploitation by a privileged user has high impact on confidentiality, integrity, and availability.

Reflected XSS in Business Server Pages TAF_APPLAUNCHER

Reflected cross-site scripting vulnerability in the TAF_APPLAUNCHER Business Server Page used by Component-Based Test Automation. An attacker can craft a URL that, when accessed by a victim, executes scripts in the victim's browser context.

Cross-Site Request Forgery in SAP BusinessObjects BI Platform

A CSRF vulnerability in the BusinessObjects BI Platform that could allow an attacker to trick an authenticated user into performing unintended actions.

Improper Certificate Validation in SAP Commerce Cloud Log4j Component

Improper certificate validation in the Apache Log4j dependency shipped with SAP Commerce Cloud could allow man-in-the-middle attacks against outbound HTTPS connections from the platform.

Denial of Service in SAP Financial Consolidation

A denial of service vulnerability in SAP Financial Consolidation that could be exploited by an authenticated user to impact availability of the system.

Missing Authorization Check in SAP Incentive & Commission Management

Missing authorisation check in the Incentive & Commission Management functionality allows an authenticated attacker to access or modify incentive-related data without proper permissions.

Missing Authorization Check in SAP Strategic Enterprise Management

Missing authorisation check in the Balanced Scorecard Wizard allows an authenticated attacker to access unauthorised information and modify settings, potentially misleading downstream risk evaluations or performance reports.