SAP takes security extremely seriously and issues patches every month to ensure the safety of data. Most months these patches affect the large enterprise products and do not affect Business One. However, the August release indicated two high severity patches which need to be addressed.
SAP Business One (SBO-CRO-SEC) – CVE-2023-39437
This is a Cross-Site scripting (XSS) vulnerability that allows an attacker to inject malicious code on the web page or the application and deliver it to the client. This affects the Confidentiality, Integrity, and Availability of the application. The CVSS score for this vulnerability is given as 7.6 (High).
SAP Business One (SBO-CRO-SEC) – CVE-2023-33993
This vulnerability can be exploited by an authenticated attacker by sending crafted queries over the network to read or modify SQL data. The CVSS Score for this vulnerability is given as 7.1 (High)
Please note that you will need to be logged in to SAP For Me in order to access the linked notes.
Upgrade to SAP B1 FP2305 Hot Fix 1
The urgency of these notes points out the need to keep you SAP system patched and up to date to protect your data from cyber criminals.
A third note with a CVSS security rating of 5.3 was also announced and release. The Security Misconfiguration vulnerability in SAP Business One (Service Layer) CVE-2023-37487 was fixed in FP2208 – Hot Fix 2.
Contact your SAP Business One partner for assistance with your upgrade or patching. Feel free to send an e-mail to ibn@i-bn.net if you have additional questions.