Lucene search

[email protected]CVE-2024-22126

HistoryFeb 13, 2024 - 2:15 a.m.

CVE-2024-22126

2024-02-1302:15:08

CWE-79

[email protected]

web.nvd.nist.gov

sap

netweaver

java

7.50

cve-2024-22126

cross-site scripting

xss

url parameters

security vulnerability

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP NetWeaver AS Java (User Admin Application)",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.50"
      }
    ]
  }
]

References

me.sap.com/notes/3417627

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html