Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

SAP Security Patch Day – February 2024

On February 13th, 2024, SAP released a crucial set of security patches. These updates are essential for addressing a variety of vulnerabilities discovered in different SAP components. The primary focus of this SAP Security Patch Day is on fixing program errors that could result in significant security vulnerabilities. Below, you will find a comprehensive summary of the security notes issued, sorted by their severity based on the Common Vulnerability Scoring System (CVSS) scores:


ComponentNote NumberDescriptionCVSS ScorePriorityPatch Date
BC-FES-BUS-DSK2622660Security updates for the browser control Google Chromium delivered with SAP Business Client10.0HotNews10.04.2018
CA-SUR3420923[CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis)9.1HotNews13.02.2024
BC-JAS-SEC-UME3417627[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)8.8Correction with high priority13.02.2024
BC-GP3426111[CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)8.6Correction with high priority13.02.2024
CA-WUI-UI3410875[CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)7.6Correction with high priority13.02.2024
XX-IDES3421659[CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems7.4Correction with high priority13.02.2024
BC-MID-SCC3424610[CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector7.4Correction with high priority13.02.2024
BC-FES-WGU3385711[CVE-2023-49580] Information disclosure vulnerability in SAP NetWeaver Application Server ABAP7.3Correction with high priority12.12.2023
FIN-FSCM-CLM2637727[CVE-2024-24739] Missing authorization check in SAP Bank Account Management6.3Correction with medium priority13.02.2024
KM-SEN-CMP3404025[CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion5.4Correction with medium priority13.02.2024
BC-FES-ITS3360827[CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)5.3Correction with medium priority13.02.2024
BC-FES-BUS3396109[CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML4.7Correction with medium priority13.02.2024
CA-MDG-APP-MM2897391[CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material4.3Correction with medium priority01.02.2024
PA-FIO-OVT3237638[CVE-2024-25643] Missing authorization check in SAP Fiori app (“My Overtime Requests”)4.3Correction with medium priority13.02.2024
CA-WUI-WKB3158455[CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)4.1Correction with medium priority13.02.2024

Statistics:

  • Total new SAP notes released: 15
  • Total vulnerabilities addressed: 15
  • Highest CVSS Score: 10.0 (HotNews)

Top 3 Critical Issues:

  1. BC-FES-BUS-DSK: Security updates for the browser control Google Chromium delivered with SAP Business Client (CVSS Score: 10.0, Priority: HotNews)

    This critical issue involves updates to the browser control Google Chromium delivered with SAP Business Client, addressing significant security vulnerabilities that could potentially compromise system integrity and data security.

  2. CA-SUR: [CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis) (CVSS Score: 9.1, Priority: HotNews)

    This vulnerability allows for code injection in SAP ABA, posing a serious threat to the application basis layer by enabling unauthorized code execution that could compromise system security and data integrity.

  3. BC-JAS-SEC-UME: [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) (CVSS Score: 8.8, Priority: Correction with high priority)

    This issue represents a Cross-Site Scripting (XSS) vulnerability within the NetWeaver AS Java User Admin Application, which could allow for the execution of malicious scripts, potentially leading to unauthorized access and data breaches. ​

The vulnerabilities have been researched and integrated into the RedRays Security Platform database.

To request private analytics with detailed PoC, please use the contact form of the RedRays website.

More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,

Protect Your SAP with RedRays Security Platform

Explore the Power of Our Scanner with an Interactive Prototype Below