Lucene search

SapCVELIST:CVE-2023-33984

HistoryJun 13, 2023 - 2:44 a.m.

CVE-2023-33984 Cross-Site Scripting (XSS) vulnerability in NetWeaver (Design Time Repository)

2023-06-1302:44:24

CWE-79

sap

www.cve.org

cve-2023-33984

cross-site scripting

netweaver

sap

vulnerability

unauthorized access

content type

versioned files

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.6%

JSON

SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP NetWeaver (Design Time Repository)",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.50"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3318657

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.6%

JSON

Related for CVELIST:CVE-2023-33984