430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical flaw fixed in SAP Business One product

Enterprise software giant SAP addressed a critical improper access control vulnerability in its Business One product. SAP November 2023 Security Patch Day includes three new and three updated security notes. The most severe “hot news” is an improper access control vulnerability, tracked as CVE-2023-31403 (CVSS score of 9.6), that impacts SAP Business One product installation. […]

SAP

Enterprise software giant SAP addressed a critical improper access control vulnerability in its Business One product.

SAP November 2023 Security Patch Day includes three new and three updated security notes. The most severe “hot news” is an improper access control vulnerability, tracked as CVE-2023-31403 (CVSS score of 9.6), that impacts SAP Business One product installation.

“SAP Business One installation – version 10.0, does not perform proper authentication and authorization checks for SMB shared folder.” reads the advisory. “As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability.”

The second Hot News is an update to a Security Note released on September 2023 Patch Day, the issue tracked as CVE-2023-40309 (CVSS score 9.8) is a missing authorization check in SAP CommonCryptoLib

“SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges.” reads the advisory. “Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.”

The remaining security notes address four medium-severity vulnerabilities. Below is the full list of issues addressed as part of the SAP Security Note #3355658.

SAP NoteTypeDescriptionPriorityCVSS
2494184UpdateCross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products BC-SYB-SQAMedium6,3
3355658New[CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation SBO-CRO-SECHot News9,6
3362849New[CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-CST-ICMedium5,3
3366410New[CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon BC-JAS-SECMedium5,3
3333426Update[CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) BC-JAS-ADM-MONMedium6,5
3340576Update[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib BC-IAM-SSO-CCLHot News9,8

At this time we are not aware of attacks in the wild exploiting these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SAP)