On its Security Patch Day, German software developer SAP announced the release of nine new security notes, two of which addressed critical bugs in BusinessObjects and SAPUI5.
Two notes that had already been published received updates as well. Between the second Tuesday in October and the second Tuesday in November, three additional security notes were made public. Three of this month’s security notes have the “hot news” designation, which in SAP’s books denotes the highest severity level. The first one addresses CVE-2022-41203, which is a critical-severity unsecure deserialization of untrusted data in the BusinessObjects Business Intelligence platform (CVSS score of 9.9).
In order to address a problem with account hijacking in Commerce, SAP also updated a hot news security note that was published in October (CVSS score of 9.6).