Child pages
  • SAP Security Patch Day – July 2019
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 9th of July 2019, SAP Security Patch Day saw the release of 11 Security Notes. There are no updates to previously released Patch Day Security Notes.

List of security notes released on July Patch Day:



[CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent

Product - SAP Diagnostic Agent (LM-Service); Version - 7.20
Hot News9.1

[CVE-2019-0328] Code Injection vulnerability in ABAP Tests Modules of SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration ABAP tests (SAP Basis), Version - 7.0, 7.1, 7.3, 7.31, 7.4, 7.5


[CVE-2019-0322Denial of service (DOS) in SAP Commerce Cloud
Product - SAP Commerce Cloud (ex SAP Hybris Commerce) (HY_COM), Versions - 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811

2756539[CVE-2019-0281Cross-Site Scripting (XSS) vulnerability in SAPUI5 and OpenUI5
Product - OpenUI5, Versions - <= 1.38.39, <= 1.44.39, <= 1.52.25, <= 1.60.6, <= 1.63.0
2804833[CVE-2019-0329] Cross-Site Scripting (XSS) vulnerability in SAP Information Steward 4.2
Product - SAP Information Steward, Versions - 4.2

[CVE-2019-0321Cross-Site Scripting (XSS) vulnerability in ABAP Server and ABAP Platform

Product - ABAP Server and ABAP Platform (SAP Basis), Versions - 7.31, 7.4, 7.5

[CVE-2019-0326Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)
Product -  SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), Versions - 4.1, 4.2, 4.3


[CVE-2019-0327Unrestricted File Upload vulnerability in SAP NetWeaver AS Java (Web Container)
Product -  SAP NetWeaver for Java Application Server (Web Container), Versions - engineapi (7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), servercode (7.2, 7.3, 7.31, 7.4, 7.5)


[CVE-2019-0325Missing Authorization check in SAP ERP HCM
Product - SAP ERP HCM (SAP_HRCES), Version - 3

2738791[CVE-2019-0318Information disclosure in SAP NetWeaver AS Java (Startup Framework)
Product - SAP NetWeaver Application Server for Java (Startup Framework), Versions - 7.21, 7.22, 7.45, 7.49, and 7.53
2752614[CVE-2019-0319] Content Injection Vulnerability in SAP Gateway
Product - SAP Gateway, Versions - 7.5, 7.51, 7.52 and 7.53



Security Notes vs Vulnerability Types - July 2019


Security Notes vs Priority Distribution (February 2019 – July 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after June 11, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes'  released between 'June 12, 2019 - July 09, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels