CVE-2022-41273

{"id": "CVE-2022-41273", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-12-13T04:15:25.107", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3270399", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Due to improper input sanitization in SAP Sourcing and SAP Contract Lifecycle Management - version 1100, an attacker can redirect a user to a malicious website. In order to perform this attack, the attacker sends an email to the victim with a manipulated link that appears to be a legitimate SAP Sourcing URL, since the victim doesn\u2019t suspect the threat, they click on the link, log in to SAP Sourcing and CLM and at this point, they get redirected to a malicious website. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0"}, {"lang": "es", "value": "Debido a una sanitizaci\u00f3n inadecuada de las entradas en SAP Sourcing y SAP Contract Lifecycle Management - versi\u00f3n 1100, un atacante puede redirigir a un usuario a un sitio web malicioso. Para realizar este ataque, el atacante env\u00eda un correo electr\u00f3nico a la v\u00edctima con un enlace manipulado que parece ser una URL leg\u00edtima de SAP Sourcing, ya que la v\u00edctima no sospecha la amenaza, hace clic en el enlace e inicia sesi\u00f3n en SAP Sourcing. y CLM y, en este punto, son redirigidos a un sitio web malicioso."}], "lastModified": "2023-11-07T03:52:45.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:contract_lifecycle_manager:1100:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3AF649F9-200F-4777-8A43-4E2FB3318C83"}, {"criteria": "cpe:2.3:a:sap:sourcing:1100:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3AF14A54-F54F-453E-AC11-0144E6CC1F31"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}