Lucene search

K
cve[email protected]CVE-2022-41266
HistoryDec 13, 2022 - 3:15 a.m.

CVE-2022-41266

2022-12-1303:15:09
CWE-79
web.nvd.nist.gov
35
cve-2022-41266
sap commerce
webservices
xss
security vulnerability
input validation
dom-based xss
nvd

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

35.4%

Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack.  As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce.

Affected configurations

NVD
Node
sapcommerce_webservices_2.0Match1905
OR
sapcommerce_webservices_2.0Match2005
OR
sapcommerce_webservices_2.0Match2011
OR
sapcommerce_webservices_2.0Match2105
OR
sapcommerce_webservices_2.0Match2205

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Commerce Webservices 2.0 (Swagger UI)",
    "vendor": "SAP",
    "versions": [
      {
        "status": "affected",
        "version": "1905"
      },
      {
        "status": "affected",
        "version": "2005"
      },
      {
        "status": "affected",
        "version": "2105"
      },
      {
        "status": "affected",
        "version": "2011"
      },
      {
        "status": "affected",
        "version": "2205"
      }
    ]
  }
]

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

35.4%

Related for CVE-2022-41266