SAP Security Notes - 03/25 - SecurityBridge Cloud

.no-js-class { display: none; } body { background-color: #fff; }

No JavaScript!

It seems your browser does not support JavaScript or it was disable by purpose! We use JavaScript to improve the user experience. Please consider enabling it for a better usability.

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.

× Hey there! Glad you made it.
We have found 22 security advices for you to review.

Severity

SAP© Security advisories 22

System Types

Affected SAP© system types

3563927

CVSS

8.8

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-26661] Missing Authorization check in SAP NetWeaver (ABAP Class Builder)

Security Advisory

3569602

CVSS

8.8

Affected system type SAP Commerce

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-27434] Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)

Security Advisory

3566851

CVSS

8.6

Affected system type SAP Commerce Cloud

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2024-38286] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud

Security Advisory

3567974

CVSS

8.1

Affected system type SAP Approuter

Patchday 2025-03

Released on 2025/02/11

Description [CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter

Security Advisory

3561045

CVSS

6.8

Affected system type SAP Business One

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-26658] Broken Authentication in SAP Business One (Service Layer)

Security Advisory

3552824

CVSS

6.1

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-26659] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Security Advisory

3562390

CVSS

6.1

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-25242] Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP

Security Advisory

3552144

CVSS

5.7

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-25244] Missing Authorization Check in SAP Business Warehouse (Process Chains)

Security Advisory

3567246

CVSS

5.4

Affected system type Java

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-27431] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

Security Advisory

3557469

CVSS

5.4

Affected system type BI/BO platform

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-25245] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Security Advisory

3558132

CVSS

4.9

Affected system type Kernel

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-0071] Information Disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager

Security Advisory

3557459

CVSS

4.7

Affected system type BI/BO platform

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-0062] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Security Advisory

3565835

CVSS

4.3

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-27433] Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)

Security Advisory

3557655

CVSS

4.3

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-26660] Broken Access Control in SAP Fiori apps (Posting Library)

Security Advisory

3475427

CVSS

4.3

Affected system type SAP Fiori

Patchday 2025-03

Released on 2024/08/13

Description [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work

Security Advisory

3474392

CVSS

4.3

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-26656] Missing Authorization check in S/4HANA (Manage Purchasing Info Records)

Security Advisory

3557131

CVSS

4.3

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-23188] Missing Authorization check in SAP S/4HANA (RBD)

Security Advisory

3549494

CVSS

4.1

Affected system type BI/BO platform

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-23185] Information Disclosure in SAP Business Objects Business Intelligence Platform

Security Advisory

3562415

CVSS

3.7

Affected system type SAP Commerce Cloud SAP DataHub

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2024-38819] Multiple vulnerabilities in Spring Framework within SAP Commerce Cloud and SAP Datahub

Security Advisory

3347991

CVSS

3.1

Affected system type ABAP

Patchday 2025-03

Released on 2025/02/24

Description [CVE-2025-26655] Missing Authorization check in SAP JIT(Outbound)

Security Advisory

3568865

CVSS

2.4

Affected system type ABAP

Patchday 2025-03

Released on 2025/03/11

Description [CVE-2025-27432] Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit)

Security Advisory

3576540

CVSS

0.0

Affected system type BTP

Patchday 2025-03

Released on 2025/03/11

Description Open Source Security Advisory: Best Practices for Securing Spring Boot Actuator Endpoints for applications running on BTP

Security Advisory