Main Vulnerability Database SB2024081346

SB2024081346 - XML injection in SAP BEx Web Java Runtime Export Web Service

Published: August 13, 2024

Security Bulletin ID SB2024081346

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) XML injection (CVE-ID: CVE-2024-42374)

The vulnerability allows a remote attacker to gain access to sensitive information or perform a denial of service attack.

The vulnerability exists due to improper input validation when processing XML files. A remote unauthenticated attacker can pass a specially crafted XML file to the application and gain access to sensitive information from the SAP ADS system or exhaust the number of XMLForm service, rendering the SAP ADS (PDF creation) unavailable.

Remediation

Install update from vendor's website.

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html