CVE-2024-22128

SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3396109	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_700:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_701:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_702:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_731:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_754:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_755:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_756:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_757:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_758:::::::*

History

16 Oct 2024, 21:30

Type	Values Removed	Values Added
First Time		Sap netweaver Business Client For Html Sap
References	~~() https://me.sap.com/notes/3396109 -~~	() https://me.sap.com/notes/3396109 - Permissions Required
References	~~() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~4.7~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_702:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_731:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_757:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_755:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_754:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_700:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_701:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_756:::::::* cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_758:::::::*

13 Feb 2024, 14:01

Type	Values Removed	Values Added
Summary		(es) SAP NWBC para HTML: versiones SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS). Un atacante no autenticado puede inyectar javascript malicioso para causar un impacto limitado en la confidencialidad y la integridad de los datos de la aplicación después de una explotación exitosa.

13 Feb 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-13 02:15

Updated : 2024-10-16 21:30

NVD link : CVE-2024-22128

Mitre link : CVE-2024-22128

CVE.ORG link : CVE-2024-22128

JSON object : View

Products Affected

sap

netweaver_business_client_for_html

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10