SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver

Post Views: 125

Enterprise software maker SAP on Tuesday announced the release of 21 new and three updated security notes on its March 2025 security patch day.

The company included five high-priority security notes in its advisory, namely three new notes that address vulnerabilities in Commerce, NetWeaver, and Commerce Cloud, and two updated notes that resolve flaws in Approuter and PDCE.

The most severe of these issues are CVE-2025-27434 and CVE-2025-26661 (CVSS score of 8.8), described as a cross-site scripting (XSS) bug in Commerce and a missing authorization check in NetWeaver.

The XSS issue resides in the open source library Swagger UI, and could allow an unauthenticated attacker to inject malicious code if they convince a user “to place a malicious payload into an input field”, application security firm Onapsis notes.

The NetWeaver vulnerability was discovered in the transaction SA38, and allows access to restricted functionality.

SAP also released patches for Commerce Cloud to resolve two high-severity bugs in Apache Tomcat that could be exploited to cause a denial-of-service (DoS) condition or bypass authentication.

The updated high-priority security notes resolve an authentication bypass in Approuter and a missing authorization check in PDCE. The notes were initially published in February 2025 and July 2024.

On Tuesday, SAP also announced the release of 15 medium-priority security notes that resolve flaws in Business One, NetWeaver, Business Warehouse, BusinessObjects, Web Dispatcher and Internet Communication Manager, S/4HANA, Fiori apps, and Permit to Work.

Advertisement. Scroll to continue reading.

SAP also released five low-priority notes this week, including a note with a CVSS score of 0.0, which “provides best practice information about custom Java applications in SAP BTP implemented with the Spring Framework,” as Onapsis explains.

The note provides details on the endpoints that the debugging and monitoring tool Spring Boot Activator may expose, and which could introduce serious vulnerabilities is not properly secured.

Related: SAP Releases 21 Security Patches

Related: SAP Patches Critical Vulnerabilities in NetWeaver

Related: SAP Patches Critical Vulnerability in NetWeaver

Related: SAP Patches High-Severity Vulnerability in Web Dispatcher

Source link

What's Hot

How the FAA’s flight cuts could impact your upcoming travel plans

How and when to clean your reusable water bottle

JD Vance hopes his Hindu wife converts to Christianity, sparking backlash

O2 Service Vulnerability Exposed User Location

Madhu Gottumukkala Officially Announced as CISA Deputy Director

BreachRx Lands $15 Million as Investors Bet on Breach-Workflow Software

Printer Company Procolored Served Infected Software for Months

UK Legal Aid Agency Finds Data Breach Following Cyberattack

480,000 Catholic Health Patients Impacted by Serviceaide Data Leak

Musk’s Net Worth Drops $10 Billion—And Tesla Shares Fall—Here’s Why

Trump’s Bungled Bet On Bitcoin Is Costing Him Bigtime

A Startup Was Their First-Ever Job—Now They’re The World’s Youngest Self Made Billionaires

Meet The Former Journalist Giving Away Billions

How the FAA’s flight cuts could impact your upcoming travel plans

How and when to clean your reusable water bottle

JD Vance hopes his Hindu wife converts to Christianity, sparking backlash

Struggling families need help feeding pets as SNAP payments in doubt

Our Picks

After Klarna, Zoom’s CEO also uses an AI avatar on quarterly call

Anthropic CEO claims AI models hallucinate less than humans

Anthropic’s latest flagship AI sure seems to love using the ‘cyclone’ emoji

What's Hot

SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver

Related Posts

Subscribe to Updates