CVE-2024-37173

Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3467377	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory
https://me.sap.com/notes/3467377	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:::::::*

History

No history.

Information

Published : 2024-07-09 04:15

Updated : 2024-11-21 09:23

NVD link : CVE-2024-37173

Mitre link : CVE-2024-37173

CVE.ORG link : CVE-2024-37173

JSON object : View

Products Affected

sap

customer_relationship_management_s4fnd
customer_relationship_management_webclient_ui

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-37173", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-07-09T04:15:12.867", "references": [{"url": "https://me.sap.com/notes/3467377", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://me.sap.com/notes/3467377", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Due to insufficient input validation, SAP\n CRM WebClient UI allows an unauthenticated attacker to craft a URL link which\n embeds a malicious script. When a victim clicks on this link, the script will\n be executed in the victim's browser giving the attacker the ability to access\n and/or modify information with no effect on availability of the application."}, {"lang": "es", "value": "Debido a una validaci\u00f3n de entrada insuficiente, la interfaz de usuario de SAP CRM WebClient permite que un atacante no autenticado cree un enlace URL que incorpore un script malicioso. Cuando una v\u00edctima hace clic en este enlace, el script se ejecutar\u00e1 en el navegador de la v\u00edctima, d\u00e1ndole al atacante la capacidad de acceder y/o modificar informaci\u00f3n sin ning\u00fan efecto sobre la disponibilidad de la aplicaci\u00f3n."}], "lastModified": "2024-11-21T09:23:21.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8E0DA63-3FA7-4CC4-A14E-852A632C41BC"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "378861FE-CD5D-49A9-8245-538A91190064"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA1262DB-E4C8-4298-B423-5EF859CE722F"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9D85325-56C8-4043-BDA8-C94FE946B912"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42A51853-E87F-47A3-A257-86B28F8F4607"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2250BB48-10D6-480F-AE9F-10582674CC9A"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39AF19C9-275E-41E7-B80A-34E31620ABBA"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F220D25-9344-482A-A36C-9D743EA55DE8"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48791122-7265-4C51-8AEB-DEBC199F9A7F"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9EEA160-B4B4-45E9-84C8-C26E52D6F329"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8BDBE717-ADB6-4080-A198-E468080F82B2"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B8775BD-EAB8-4F08-B65D-35B704C0E36B"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BFCEADC-7359-470F-A412-5B2808CF6069"}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A387786F-F4F6-44FC-B969-6FB92A1AA096"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}