June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Apple Products Vulnerabilities
November 1, 2024
New LightSpy Spyware Version Uses More Surveillance Techniques to Target iPhones – Active IOCs
November 1, 2024
Multiple Apple Products Vulnerabilities
November 1, 2024
New LightSpy Spyware Version Uses More Surveillance Techniques to Target iPhones – Active IOCs
November 1, 2024
Severity
Medium
Analysis Summary
CVE-2024-37179 CVSS:7.7
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application.
CVE-2024-45277 CVSS:4.3
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.
CVE-2024-45278 CVSS:5.4
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
CVE-2024-45282 CVSS:4.3
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
CVE-2024-47594 CVSS:5.4
SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised.
Impact
- Data Manipulation
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-37179
- CVE-2024-45277
- CVE-2024-45278
- CVE-2024-45282
- CVE-2024-47594
Affected Vendors
SAP
Affected Products
- SAP_SE SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - ENTERPRISE 420 - 430 - 2025 - ENTERPRISECLIENTTOOLS 420
- SAP_SE SAP HANA Client - HDB_CLIENT 2.0
- SAP_SE SAP Commerce Backoffice - HY_COM 2205 - COM_CLOUD 2211
- SAP_SE SAP S/4 HANA (Manage Bank Statements) - S4CORE - 102 - 103 - 104 - 105 - 106 - 107
- SAP_SE SAP NetWeaver Enterprise Portal (KMC) - KMC-BC 7.5
Remediation
Refer to SAP Security Advisory for patch, upgrade, or suggested workaround information.(Login Required)
