SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver

Post Views: 48

Enterprise software maker SAP on Tuesday announced the release of 21 new and three updated security notes on its March 2025 security patch day.

The company included five high-priority security notes in its advisory, namely three new notes that address vulnerabilities in Commerce, NetWeaver, and Commerce Cloud, and two updated notes that resolve flaws in Approuter and PDCE.

The most severe of these issues are CVE-2025-27434 and CVE-2025-26661 (CVSS score of 8.8), described as a cross-site scripting (XSS) bug in Commerce and a missing authorization check in NetWeaver.

The XSS issue resides in the open source library Swagger UI, and could allow an unauthenticated attacker to inject malicious code if they convince a user “to place a malicious payload into an input field”, application security firm Onapsis notes.

The NetWeaver vulnerability was discovered in the transaction SA38, and allows access to restricted functionality.

SAP also released patches for Commerce Cloud to resolve two high-severity bugs in Apache Tomcat that could be exploited to cause a denial-of-service (DoS) condition or bypass authentication.

The updated high-priority security notes resolve an authentication bypass in Approuter and a missing authorization check in PDCE. The notes were initially published in February 2025 and July 2024.

On Tuesday, SAP also announced the release of 15 medium-priority security notes that resolve flaws in Business One, NetWeaver, Business Warehouse, BusinessObjects, Web Dispatcher and Internet Communication Manager, S/4HANA, Fiori apps, and Permit to Work.

Advertisement. Scroll to continue reading.

SAP also released five low-priority notes this week, including a note with a CVSS score of 0.0, which “provides best practice information about custom Java applications in SAP BTP implemented with the Spring Framework,” as Onapsis explains.

The note provides details on the endpoints that the debugging and monitoring tool Spring Boot Activator may expose, and which could introduce serious vulnerabilities is not properly secured.

Related: SAP Releases 21 Security Patches

Related: SAP Patches Critical Vulnerabilities in NetWeaver

Related: SAP Patches Critical Vulnerability in NetWeaver

Related: SAP Patches High-Severity Vulnerability in Web Dispatcher

Source link

What's Hot

Is Father’s Day getting more respect? Depends on who you ask

Spaniards sour on tourism industry amid housing crunch

David Beckham, Gary Oldman and others honored by King Charles III

O2 Service Vulnerability Exposed User Location

Madhu Gottumukkala Officially Announced as CISA Deputy Director

BreachRx Lands $15 Million as Investors Bet on Breach-Workflow Software

Printer Company Procolored Served Infected Software for Months

UK Legal Aid Agency Finds Data Breach Following Cyberattack

480,000 Catholic Health Patients Impacted by Serviceaide Data Leak

Private Equity’s First Woman Billionaire Owns San Diego Soccer Team

Billionaire Walmart Heiress Urges People To ‘Mobilize’ At June 14 Anti-Trump Protests

Anduril Cofounder Trae Stephens Is Now A Billionaire

The Unlikely Group Getting Rich Off Dave’s Hot Chicken’s $1 Billion Deal

Is Father’s Day getting more respect? Depends on who you ask

Spaniards sour on tourism industry amid housing crunch

David Beckham, Gary Oldman and others honored by King Charles III

Pope Leo XIV’s fashion choices draw excitement and scrutiny

Our Picks

After Klarna, Zoom’s CEO also uses an AI avatar on quarterly call

Anthropic CEO claims AI models hallucinate less than humans

Anthropic’s latest flagship AI sure seems to love using the ‘cyclone’ emoji

What's Hot

SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver

Related Posts

Subscribe to Updates