Child pages
  • SAP Security Patch Day – September 2018
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 11th of September 2018, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there was 1 update to previously released security notes.

List of security notes released on September Patch Day:



Update to Security Note released on April 2018 Patch Day:  
Security updates for the browser control Chromium delivered with SAP Business Client
Product - SAP Business Client; Version - 6.5

Hot News9.8
2670284[CVE-2018-2458] Information Disclosure in SAP Business One
Product - SAP Business One; Versions - 9.2, 9.3 
2644279[CVE-2018-2462] Missing XML Validation vulnerability in BEx Web Java Runtime Export Web Service
Product - SAP NetWeaver BI; Versions - 7.30, 7.31. 7.40, 7.41, 7.50
2681207[CVE-2018-2465] DOS vulnerability in SAP HANA, Extended Application Services classic model
Product - SAP HANA; Versions - 1.0, 2.0
2679378[CVE-2018-2464] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver WebDynpro Java
Product - SAP WebDynpro; Version - 7.20, 7.30, 7.31, 7.40, 7.50
2623846[CVE-2018-2452] Cross Site Scripting in NW AS Java Logon Application
Product - SAP NetWeaver AS Java; Versions - 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
2680834[CVE-2018-2463] Server-Side Request Forgery (SSRF) in SAP Hybris Commerce
Product - SAP Hybris Commerce; Versions - 6.*
2665970Missing XML Validation vulnerability in Plant Connectivity (PCo)
Related CVE - CVE-2017-12069
Product - SAP Plant Connectivity, Version - 15.0

[CVE-2018-2457] Information Disclosure in SAP Adaptive Server Enterprise
Product - SAP Adaptive Server Enterprise, Version - 16.0

2673959[CVE-2018-2461] Missing authorization check in SAP HCM Fiori app "People Profile"
Product - SAP HCM Fiori "People Profile" (GBX01HR); Version - 6.0
2672919[CVE-2018-2459] Information disclosure in SAP Mobile Platform server Offline OData
Product - SAP Mobile Platform; Versions - 3.0
2646067[CVE-2018-2455] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services; Versions - 6.05, 6.06, 6.16, 6.17, 6.18, 8.0
2645133[CVE-2018-2454] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services, Versions - 6.05, 6.06, 6.16, 6.17, 6.18, 8.0
2682503 [CVE-2018-2460] Insecure certificate verification in SAP Business One Android application
Product - SAP Business One Android application, Version - 1.2



Security Notes vs Vulnerability Types - September 2018

Security Notes vs Priority Distribution (April 2018 – September 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: -> All Security Notes -> Filter for notes which have been published after 14th August 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team


  • No labels