Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN351

_____________________________________________________________________

DATE                : 11/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP products.

=====================================================================
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2025.html
_____________________________________________________________________


SAP Security Patch Day - June 2025

This post shares the information on Security Notes that remediate
vulnerabilities discovered in SAP products. SAP strongly recommends
that the customer visits the Support Portal and applies patches on
priority to protect their SAP landscape.

On 10th of June 2025, SAP Security Patch Day saw the release of 14
new Security Notes.

Note#           Title          Priority          CVSS

3600840
[CVE-2025-42989] Missing Authorization check in SAP NetWeaver
Application Server for ABAP
Product – SAP NetWeaver Application Server for ABAP
Versions – KERNEL 7.89, 7.93, 9.14, 9.15
Critical             9.6

3609271
[CVE-2025-42982] Information Disclosure in SAP GRC (AC Plugin)
Product – SAP GRC (AC Plugin)
Versions – GRCPINW V1100_700, V1100_731
High                8.8

3606484
[CVE-2025-42983] Missing Authorization check in SAP Business Warehouse
and SAP Plug-In Basis
Product – SAP Business Warehouse and SAP Plug-In Basis
Versions – PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 750, 751,
752, 753, 754, 755, 756, 757, 758, 914, 915
High             8.5

3560693
[CVE-2025-23192] Cross-Site Scripting (XSS) vulnerability in SAP
BusinessObjects Business Intelligence (BI Workspace)
Product – SAP BusinessObjects Business Intelligence (BI Workspace)
Versions – ENTERPRISE 430, 2025, 2027
High            8.2

3610591
[CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver
Visual Composer
Product – SAP NetWeaver Visual Composer
Version – VCBASE 7.50
High           7.6

3610006
[CVE-2025-42994] Multiple vulnerabilities in SAP MDM Server
Related CVE - CVE-2025-42995, CVE-2025-42996
Product – SAP MDM Server
Versions – MDM_SERVER 710.750
High          7.5

3580384
[CVE-2025-42993] Missing Authorization Check in SAP S/4HANA
(Enterprise Event Enablement)
Product – SAP S/4HANA (Enterprise Event Enablement)
Versions – SAP_GWFND 757, 758
Medium       6.7

3590887
[CVE-2025-31325] Cross-Site Scripting (XSS) Vulnerability in SAP
NetWeaver (ABAP Keyword Documentation)
Product- SAP NetWeaver (ABAP Keyword Documentation)
Version – SAP_BASIS 758
Medium       5.8

3441087
[CVE-2025-42984] Missing Authorization check in SAP S/4HANA
(Manage Central Purchase Contract application)
Product – SAP S/4HANA (Manage Central Purchase Contract application)
Versions – S4CORE 106, 107, 108
Medium       5.4

3594258
[CVE-2025-42998] Security misconfiguration vulnerability in SAP
Business One Integration Framework
Product – SAP Business One Integration Framework
Versions – B1_ON_HANA 10.0, SAP-M-BO 10.0
Medium       5.3

3596850
[CVE-2025-42987] Missing Authorization Check in SAP S/4HANA (Manage
Processing Rules - For Bank Statement)
Product – SAP S/4HANA (Manage Processing Rules - For Bank Statement)
Versions – S4CORE 104, 105, 106, 107, 108
Medium       4.3

3608058
[CVE-2025-42991] Missing Authorization check in SAP S/4HANA (Bank
Account Application)
Product- SAP S/4HANA (Bank Account Application)
Version – S4CORE 108
Medium      4.3

3585545
[CVE-2025-42988] Server-Side Request Forgery in SAP Business Objects
Business Intelligence Platform
Product - SAP Business Objects Business Intelligence Platform
Versions - ENTERPRISE 430, 2025, 2027
Low        3.7

3601169
[CVE-2025-42990] HTML Injection in Unprotected SAPUI5 applications
Product – SAPUI5 applications
Versions – SAP_UI 750, 754, 755, 756, 757, 758, UI_700 200
Low        3.0


To know more about the security researchers and research companies
who have contributed for security patches of this month, visit here.

 
SAP is committed to delivering trustworthy products and cloud services.
Secure configuration is essential to ensuring secure operation and
data integrity. We have therefore documented security recommendations
that are consolidated in this document to help you configure the best
security for your SAP portfolio.

 
Archived blogs from previous years are available here.

If you have any comments or feedback about this post, you can write
to secure@sap.com


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================