CVE-2024-34685

Due to weak encoding of user-controlled input in SAP NetWeaver Knowledge Management XMLEditor which allows malicious scripts can be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application but it has a low impact on its confidentiality and integrity.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3468681	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory
https://me.sap.com/notes/3468681	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:netweaver_knowledge_management_and_collaboration_\(kmc-cm\):7.50:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-07-09 04:15

Updated : 2024-11-21 09:19

NVD link : CVE-2024-34685

Mitre link : CVE-2024-34685

CVE.ORG link : CVE-2024-34685

JSON object : View

Products Affected

sap

netweaver_knowledge_management_and_collaboration_\(kmc-cm\)

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-34685", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-07-09T04:15:12.090", "references": [{"url": "https://me.sap.com/notes/3468681", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://me.sap.com/notes/3468681", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Due to weak encoding of user-controlled input in\nSAP NetWeaver Knowledge Management XMLEditor which allows malicious scripts can\nbe executed in the application, potentially leading to a Cross-Site Scripting\n(XSS) vulnerability. This has no impact on the availability of the application\nbut it has a low impact on its confidentiality and integrity."}, {"lang": "es", "value": "Debido a la codificaci\u00f3n d\u00e9bil de la entrada controlada por el usuario en SAP NetWeaver Knowledge Management XMLEditor, que permite que se puedan ejecutar scripts maliciosos en la aplicaci\u00f3n, lo que podr\u00eda provocar una vulnerabilidad de Cross-Site Scripting (XSS). Esto no tiene ning\u00fan impacto en la disponibilidad de la aplicaci\u00f3n pero tiene un impacto bajo en su confidencialidad e integridad."}], "lastModified": "2024-11-21T09:19:11.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management_and_collaboration_\\(kmc-cm\\):7.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E96E9634-127A-45F3-AE07-F6481CC6AAA4"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}