CVE-2024-42378

Due to weak encoding of user-controlled inputs, eProcurement on SAP S/4HANA allows malicious scripts to be executed in the application, potentially leading to a Reflected Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3497347
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

10 Sep 2024, 12:09

Type	Values Removed	Values Added
Summary		(es) Debido a la codificación deficiente de las entradas controladas por el usuario, eProcurement en SAP S/4HANA permite que se ejecuten scripts maliciosos en la aplicación, lo que puede generar una vulnerabilidad de tipo XSS (Cross-Site Scripting Reflejado). Esto no afecta la disponibilidad de la aplicación, pero puede tener un impacto menor en su confidencialidad e integridad.

10 Sep 2024, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-10 03:15

Updated : 2024-09-10 12:09

NVD link : CVE-2024-42378

Mitre link : CVE-2024-42378

CVE.ORG link : CVE-2024-42378

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10