CVE-2022-22534

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

1.2%

top 21.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver (abap AND Java Application Servers)SAP Netweaver

Timeline

PublishedFeb 9

Latest updateFeb 11

Description

Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_(abap_and_java_application_servers)12 versions+11

▶NVDsap/netweaver12 versions+11

🔴Vulnerability Details

GHSA

GHSA-vr8v-ggvj-qc6m: Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user I↗2022-02-11

▶

CVEList

CVE-2022-22534: Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user I↗2022-02-09

▶