Lucene search

SapCVE-2023-29112

HistoryApr 11, 2023 - 4:16 a.m.

CVE-2023-29112

2023-04-1104:16:08

CWE-80

CWE-79

sap

web.nvd.nist.gov

sap

application interface

message monitoring

html objects

css

exploitation

confidentiality

integrity

cve-2023-29112

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

29.6%

JSON

The SAP Application Interface (Message Monitoring) - versions 600, 700, allows an authorized attacker to input links or headings with custom CSS classes into a comment. The comment will render links and custom CSS classes as HTML objects. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.

Affected configurations

Nvd

Node

sapapplication_interfaceMatch600

sapapplication_interfaceMatch700

VendorProductVersionCPE
sapapplication_interface600cpe:2.3:a:sap:application_interface:600:*:*:*:*:*:*:*
sapapplication_interface700cpe:2.3:a:sap:application_interface:700:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	application_interface	600	cpe:2.3:a:sap:application_interface:600:::::::*
sap	application_interface	700	cpe:2.3:a:sap:application_interface:700:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Application Interface Framework (Message Monitoring)",
    "vendor": "SAP",
    "versions": [
      {
        "status": "affected",
        "version": "600"
      },
      {
        "status": "affected",
        "version": "700"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3114489

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html