Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN081

_____________________________________________________________________

DATE                : 11/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP products.

=====================================================================
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html
_____________________________________________________________________

SAP Security Patch Day - February 2025

This post shares the information on Security Notes that remediate
vulnerabilities discovered in SAP products. SAP strongly recommends
that the customer visits the Support Portal and applies patches on
priority to protect their SAP landscape.

On 11th of February 2025, SAP Security Patch Day saw the release of
19 new Security Notes. Further, there were 2 updates to previously
released Security Notes.

Note#      Title      Priority      CVSS

3417627    Update to Security Note released on February 2024 Patch
Day: [CVE-2024-22126] Cross Site Scripting vulnerability in
NetWeaver AS Java (User Admin Application)
Product- SAP NetWeaver AS Java (User Admin Application),
Version – 7.50
High       8.8

3525794   [CVE-2025-0064] Improper Authorization in SAP
BusinessObjects Business Intelligence platform (Central Management
Console)
Product- SAP BusinessObjects Business Intelligence platform (Central
Management Console), Versions – ENTERPRISE 430, 2025
High      8.7

3567551   [CVE-2025-25243] Path traversal vulnerability in SAP
Supplier Relationship Management (Master Data Management Catalog)
Product - SAP Supplier Relationship Management (Master Data Management
Catalog), Version - SRM_MDM_CAT 7.52
High      8.6

3567974   [CVE-2025-24876] Authentication bypass via authorization
code injection in SAP Approuter
Library - @sap/approuter, Version - 2.6.1 to 16.7.1
High      8.1

3567172   [CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise
Project Connection
Related CVEs -  CVE-2024-38820, CVE-2024-38828
Product - SAP Enterprise Project Connection, Version – 3.0
High      7.5

3563929   [CVE-2025-24868] Open Redirect Vulnerability in SAP HANA
extended application services, advanced model (User Account and
Authentication Services)
Product - SAP HANA extended application services, advanced model
(User Account and Authentication Services), Version -
SAP_EXTENDED_APP_SERVICES 1
High      7.1

3555364   [CVE-2025-24875] SameSite Defense in Depth not applied
for some cookies in SAP Commerce
Product- SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211
Medium    6.8

3559510   [CVE-2025-24874] Missing Defense in Depth Against
Clickjacking in SAP Commerce (Backoffice)
Product – SAP Commerce (Backoffice), Version – HY_COM 2205,
COM_CLOUD 2211
Medium    6.8

3557138   Update 1 to Security Note 3417627 - [CVE-2024-22126]
Cross Site Scripting vulnerability in NetWeaver AS Java (User
Admin Application)
Product- SAP NetWeaver AS Java (User Admin Application), Version
– 7.50
Medium    6.1

3445708   [CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability
in SAP BusinessObjects Business Intelligence platform (BI
Launchpad)
Product- SAP BusinessObjects Platform (BI Launchpad), Version –
ENTERPRISE 430, 2025
Medium    6.1

3562336   [CVE-2025-24870] Insecure Key & Secret Management
vulnerability in SAP GUI for Windows
Product- SAP GUI for Windows, Version – BC-FES-GUI 8.00
Medium    6.0

3540273   Multiple vulnerabilities in Apache Solr within
SAP Commerce Cloud
Related CVEs -  CVE-2024-45216, CVE-2024-45217
Product - SAP Commerce Cloud,
Versions – HY_COM 2205, COM_CLOUD 2211
Medium    5.5

3526203   [CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability
in SAP NetWeaver Application Server Java
Product- SAP NetWeaver Application Server Java, Versions –
EP-BASIS 7.50, FRAMEWORK-EXT 7.50
Medium    5.4

3532025   [CVE-2025-25241] Missing Authorization check in SAP
Fiori Apps Reference Library (My Overtime Requests)
Product- SAP Fiori Apps Reference Library (My Overtime
Requests), Version – GBX01HR5 605
Medium    5.4

3546470   [CVE-2025-23187] Missing Authorization Check in SAP
NetWeaver and ABAP Platform (SDCCN)
Related CVE -  CVE-2025-23189
Product- SAP NetWeaver and ABAP Platform (SDCCN), Versions –
ST-PI 2008_1_700, ST-PI 2008_1_710, ST-PI 740
Medium    5.3

3561264   [CVE-2025-23193] Information Disclosure vulnerability
in SAP NetWeaver Application Server ABAP
Product- SAP NetWeaver Server ABAP, Versions – SAP_BASIS 700,
SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740,
SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753,
SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757,
SAP_BASIS 758
Medium    5.3

3287784   Update to Security Note released on April 2023
Patch Day:
[CVE-2023-24527] Improper Access Control in SAP NetWeaver
AS Java for Deploy Service
Product- SAP NetWeaver AS Java for Deploy Service, Version
– ENGINEAPI 7.50, SERVERCORE 7.50
Medium    5.3

3550027   [CVE-2025-24869] Information Disclosure vulnerability
in SAP NetWeaver Application Server Java
Product - SAP NetWeaver Application Server Java, Version -
WD-RUNTIME 7.50
Medium    4.3

3553753   [CVE-2025-24872] Missing Authorization check in
SAP ABAP Platform (ABAP Build Framework)
Product - SAP ABAP Platform (ABAP Build Framework), Versions
- SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753,
SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757,
SAP_BASIS 758
Medium    4.3

3547581   [CVE-2025-23190] Missing Authorization check in
SAP NetWeaver and ABAP platform (ST-PI)
Product - SAP NetWeaver and ABAP platform (ST-PI), Version
- ST-PI 2008_1_700, ST-PI 2008_1_710, ST-PI 740
Medium    4.3

3426825   [CVE-2025-23191] Cache Poisoning through header
manipulation vulnerability in SAP Fiori for SAP ERP
Product - SAP Fiori for SAP ERP, Version - SAP_GWFND 740,
750, 751, 752, 753, 754, 755, 756, 757, 758
Low       3.1


To know more about the security researchers and research
companies who have contributed for security patches of this
month, visit here.

SAP is committed to delivering trustworthy products and cloud
services. Secure configuration is essential to ensuring secure
operation and data integrity. We have therefore documented
security recommendations that are consolidated in this document
to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can
write to secure@sap.com.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================