“Looking at the vector again, the privileges required is set to Low, which means a basic account authentication would be required,” he noted. An attacker would want to target an account they could take over and then utilize to effect the injection attack leading to full compromise.
The other SAP Security Note CISOs should pay attention to is #3572688, he said, which is tagged with a CVSS score of 9.8. It patches an authentication bypass vulnerability in SAP Financial Consolidation. Due to an improper authentication mechanism, unauthenticated attackers can impersonate the Admin account, causing high impact on the confidentiality, integrity, and availability of the application.
Google Android fixes
Separately, Malwarebytes reports that Google announced patches for 62 vulnerabilities in Android 13, 14 and 15. Smartphone and tablet manufacturers were notified at least a month ago to give them time for updates for their devices to be released in the coming days or weeks. Among the fixes, two will plug actively exploited zero-day vulnerabilities.