CVE-2024-21738 - OpenCVE

SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Netweaver Application Server Abap

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_application_server_abap:79::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:700::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:701::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:702::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:731::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:740::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:750::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:751::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:752::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:753::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:754::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:755::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:756::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:757::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:758::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:793::::sap_basis:::

References

Link	Resource
https://me.sap.com/notes/3387737	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2024-01-09T01:19:29.437Z

Updated: 2024-01-09T01:19:29.437Z

Reserved: 2024-01-01T10:54:59.645Z

Link: CVE-2024-21738

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-09T02:15:46.020

Modified: 2024-01-11T22:54:02.190

Link: CVE-2024-21738

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-21738", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-01-01T10:54:59.645Z", "datePublished": "2024-01-09T01:19:29.437Z", "dateUpdated": "2024-01-09T01:19:29.437Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP NetWeaver ABAP Application Server and ABAP Platform", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SAP_BASIS 700"}, {"status": "affected", "version": "SAP_BASIS 701"}, {"status": "affected", "version": "SAP_BASIS 702"}, {"status": "affected", "version": "SAP_BASIS 731"}, {"status": "affected", "version": "SAP_BASIS 740"}, {"status": "affected", "version": "SAP_BASIS 750"}, {"status": "affected", "version": "SAP_BASIS 751"}, {"status": "affected", "version": "SAP_BASIS 752"}, {"status": "affected", "version": "SAP_BASIS 753"}, {"status": "affected", "version": "SAP_BASIS 754"}, {"status": "affected", "version": "SAP_BASIS 755"}, {"status": "affected", "version": "SAP_BASIS 756"}, {"status": "affected", "version": "SAP_BASIS 757"}, {"status": "affected", "version": "SAP_BASIS 758"}, {"status": "affected", "version": "SAP_BASIS 793"}, {"status": "affected", "version": "SAP_BASIS 794"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.</p>"}], "value": "SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-01-09T01:19:29.437Z"}, "references": [{"url": "https://me.sap.com/notes/3387737"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:79:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "7E795D39-9D29-4CFC-BDB7-5E990A386647", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "6F048ED9-2DDF-4EB9-8571-73832AFABF6A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "C37DC475-6B9A-493C-9A6F-28CDD65D2A5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "2BD9FE51-F76C-439A-A3C0-5279EC1059F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "4EB54432-0E1A-45F2-BEE1-8DC28FAADA9F", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "8E96C58C-ED44-487B-A67E-FDAE3C29023A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "A14DF5EB-B8CE-4A47-9959-2F65A5DCEF5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "3E0CA53D-4335-4872-B527-30802E31B893", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "419BA423-0803-4F51-8889-014A521F02CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "DA20ECDC-8807-462C-A0F0-70DF6F5A119B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "800AAC21-325C-4F16-AE5A-9F89327E5356", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "BDC15DB7-A95B-475F-AAA6-60A801F65690", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "55A2FECF-A32E-4188-9563-E8BA0E952261", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "9CBF2E53-17F0-4BF0-9C38-749C7E611BF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "5160572B-E3AB-4B96-8950-07DDAFA0E4A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:793:*:*:*:sap_basis:*:*:*", "matchCriteriaId": "AB104F44-D209-41D3-AE25-A5A4A8CE3323", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.\n\n"}, {"lang": "es", "value": "SAP NetWeaver ABAP Application Server y ABAP Platform no codifican suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS). Un atacante con pocos privilegios puede causar un impacto limitado en la confidencialidad de los datos de la aplicaci\u00f3n despu\u00e9s de una explotaci\u00f3n exitosa."}], "id": "CVE-2024-21738", "lastModified": "2024-01-11T22:54:02.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2024-01-09T02:15:46.020", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3387737"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cna@sap.com", "type": "Primary"}]}