Lucene search

SapCVELIST:CVE-2024-22126

HistoryFeb 13, 2024 - 1:58 a.m.

CVE-2024-22126 Cross Site Scripting vulnerability in SAP NetWeaver AS Java (User Admin Application)

2024-02-1301:58:27

CWE-79

sap

www.cve.org

cve-2024-22126

cross site scripting

sap netweaver as java

user admin application

url parameters

xss

confidentiality

integrity

availability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP NetWeaver AS Java (User Admin Application)",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.50"
      }
    ]
  }
]

References

me.sap.com/notes/3417627

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html