Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-2421 — Cross-site Scripting in SAP WEB Application Server

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

7.7%

top 8.06%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

SAP WEB Application Server SAP WEB Dynpro

Timeline

PublishedMay 23

Latest updateMay 1

Description

Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under bc/gui/sap/its/webgui/.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDsap/web_dynproabap, bsp+1

▶NVDsap/sap_web_application_server7.0

🔴Vulnerability Details

GHSA

GHSA-2ch6-jww2-3r97: Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7↗2022-05-01

▶

CVEList

CVE-2008-2421: Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7↗2008-05-23

▶

💥Exploits & PoCs

Exploit-DB

SAP Web Application Server 7.0 - '/sap/bc/gui/sap/its/webgui/' Cross-Site Scripting↗2008-05-21

▶