CVE-2022-35294

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.4%

top 40.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS Abap SAP Netweaver Application Server Abap

Timeline

PublishedSep 13

Latest updateSep 14

Description

An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDsap/netweaver_application11 versions+10

▶CVEListV5sap_se/sap_netweaver_as_abap11 versions+10

🔴Vulnerability Details

GHSA

GHSA-pgxh-rpr4-8mr8: An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downlo↗2022-09-14

▶

CVEList

CVE-2022-35294: An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downlo↗2022-09-13

▶