Lucene search

SapCVELIST:CVE-2023-29112

HistoryApr 11, 2023 - 3:03 a.m.

CVE-2023-29112 Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring)

2023-04-1103:03:09

CWE-80

sap

www.cve.org

sap

application interface

message monitoring

code injection

vulnerability

html objects

confidentiality

integrity

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

29.6%

JSON

The SAP Application Interface (Message Monitoring) - versions 600, 700, allows an authorized attacker to input links or headings with custom CSS classes into a comment. The comment will render links and custom CSS classes as HTML objects. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Application Interface Framework (Message Monitoring)",
    "vendor": "SAP",
    "versions": [
      {
        "status": "affected",
        "version": "600"
      },
      {
        "status": "affected",
        "version": "700"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3114489

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html