CVE-2022-27656 — Cross-site Scripting in SE SAP WEB Dispatcher

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 39.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS FOR Abap AND Java SAP SE SAP WEB Dispatcher SAP Netweaver AS Abap Kernel +2 more

Timeline

PublishedMay 11

Latest updateMay 12

Description

The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDsap/webdispatcher7 versions+6

▶CVEListV5sap_se/sap_web_dispatcher6 versions+5

▶NVDsap/netweaver_as_abap_kernel9 versions+8

▶NVDsap/netweaver_as_abap_krnl64uc5 versions+4

▶CVEListV5sap_se/sap_netweaver_as_for_abap_and_java13 versions+12

🔴Vulnerability Details

GHSA

GHSA-jc59-rwrg-x5xh: The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resu↗2022-05-12

▶

CVEList

CVE-2022-27656: The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resu↗2022-05-11

▶