With its August 2023 Patch Tuesday upgrades, German software major SAP has patched more than a dozen new vulnerabilities, including a serious weakness impacting the company’s PowerDesigner data modeling and enterprise architecture tool. The same upgrade, according to Onapsis, also resolves a medium-severity problem with SAP PowerDesigner’s password leakage. Customers have also been alerted by SAP of a patch for PowerDesigner’s high-severity code injection vulnerability, CVE-2023-36923.
SAP updated a number of previously issued fixes in addition to releasing 16 new patches. According to business application security company Onapsis, the significant (HotNews) PowerDesigner flaw, identified as CVE-2023-37483, is an inappropriate access control problem that can be exploited by an unauthenticated attacker to conduct arbitrary queries against the backend database.