CVE-2023-24529

Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3282663	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.00:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.01:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.02:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.31:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.40:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.50:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.51:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.52:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75c:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75d:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75e:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75f:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75g:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75h:::::::*

History

21 Feb 2023, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-14 04:15

Updated : 2024-02-04 23:14

NVD link : CVE-2023-24529

Mitre link : CVE-2023-24529

CVE.ORG link : CVE-2023-24529

JSON object : View

Products Affected

sap

netweaver_as_abap_business_server_pages

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-24529", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-02-14T04:15:12.977", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3282663", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.\n\n"}], "lastModified": "2023-04-11T22:15:08.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E6E948A-59A4-460A-8369-68E9A94CA4EC"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.01:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B2AC049-E6B5-4954-875A-7E66F2CEFEDF"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.02:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1097BE81-D7C7-4288-82A8-F5FA0EB492E3"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4AA4EAF-ED70-4FEC-85B5-C8229EB5F600"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F822C6B-3047-4EB1-9A85-EE10EA592DE4"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "689471D5-2189-48AF-ACE9-41DA4B642B1E"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.51:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD618C71-34FF-414C-86DC-C43C5EEF5D20"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:7.52:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E4BD107-F102-4859-9439-955F4DACE96F"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75c:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63AE465A-45CC-4834-BEC0-589935EFCAD2"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75d:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAADF821-7088-4D5C-BB6D-2662880AC62D"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75e:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76E464A9-F2FD-4A91-8562-A33EBABD24E7"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75f:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D396DE3-DCE7-4CB1-B6AB-85F2A850C180"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75g:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC3734C6-B13F-4BDA-8586-47C18FD1B26E"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_business_server_pages:75h:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3975983-9499-49E2-8A1E-F1F9B2B5A792"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}