Lucene search

SapCVELIST:CVE-2024-30214

HistoryApr 09, 2024 - 12:56 a.m.

CVE-2024-30214 Cross-Site Scripting (XSS) vulnerability in SAP Business Connector

2024-04-0900:56:29

CWE-79

sap

www.cve.org

cross-site scripting

sap business connector

cve-2024-30214

service invocations

javascript processing

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

9.0%

JSON

The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server response. Under certain circumstances, if the parameter contains a JavaScript, the script could be processed on client side.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Business Connector",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "4.8"
      }
    ]
  }
]

References

me.sap.com/notes/3421453

support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364