"The application uses an outdated artifact of Apache Log4j 1.2.17 that is vulnerable to CVE-2019-17571. It allows an unprivileged attacker to execute arbitrary code remotely on the server, causing high impact on confidentiality, integrity, and availability of the application."
"CVE-2026-27685 stems from missing or insufficient validation during the deserialization of uploaded content, which could allow an attacker to upload untrusted or malicious content. Only the fact that an attacker requires high privileges for a successful exploit prevents the vulnerability from being tagged with a CVSS score of 10."
SAP addressed two critical security flaws with CVSS scores of 9.8 and 9.1 respectively. CVE-2019-17571 involves a code injection vulnerability in the Quotation Management Insurance application stemming from outdated Apache Log4j 1.2.17, allowing unprivileged attackers to execute arbitrary code remotely with high impact on confidentiality, integrity, and availability. CVE-2026-27685 is an insecure deserialization vulnerability in NetWeaver Enterprise Portal Administration caused by insufficient validation during content deserialization, enabling attackers with high privileges to upload malicious content. These updates align with broader security patch releases from Microsoft, Adobe, and Hewlett Packard Enterprise addressing multiple critical vulnerabilities across their respective products.
#sap-security-vulnerabilities #arbitrary-code-execution #critical-patches #deserialization-flaws #log4j-vulnerability
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]