CVE-2024-22128

SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3396109	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
https://me.sap.com/notes/3396109	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_700:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_701:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_702:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_731:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_754:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_755:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_756:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_757:::::::*
	cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_758:::::::*

History

No history.

Information

Published : 2024-02-13 02:15

Updated : 2024-11-21 08:55

NVD link : CVE-2024-22128

Mitre link : CVE-2024-22128

CVE.ORG link : CVE-2024-22128

JSON object : View

Products Affected

sap

netweaver_business_client_for_html

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-22128", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-02-13T02:15:08.323", "references": [{"url": "https://me.sap.com/notes/3396109", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://me.sap.com/notes/3396109", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.\n\n"}, {"lang": "es", "value": "SAP NWBC para HTML: versiones SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS). Un atacante no autenticado puede inyectar javascript malicioso para causar un impacto limitado en la confidencialidad y la integridad de los datos de la aplicaci\u00f3n despu\u00e9s de una explotaci\u00f3n exitosa."}], "lastModified": "2024-11-21T08:55:38.297", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_700:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78C94A50-17DD-4206-9861-E4406C7CFEDB"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_701:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7055999C-5B25-4E7D-B7A3-9A140DCA9E93"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_702:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B9F39B4-5F9B-4E1C-94A4-3201A6D6CFFF"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_731:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D2FD9175-513A-45CE-B113-6EE1C00ADACE"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_754:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3FA1C87-6B1D-49EC-B2B6-9FA74B41C643"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_755:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5A00719-2E66-4CFE-B10A-7582F83A3724"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_756:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14A2A918-2B9D-442A-80E7-B0268540647D"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_757:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F301FA2-E797-4AAE-B152-FD20AAB815E7"}, {"criteria": "cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_758:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06987429-230F-423E-B5A2-5D9347D446EF"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}