CVE-2022-41260

CWE-79 — Cross-site Scripting (XSS)CWE-601 — Open Redirect4 documents4 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 42.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Financial Consolidation SAP Financial Consolidation

Timeline

PublishedNov 8

Latest updateDec 4

Description

SAP Financial Consolidation - version 1010, does not sufficiently encode user-controlled input which may allow an unauthenticated attacker to inject a web script via a GET request. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDsap/financial_consolidation1010

▶CVEListV5sap_se/sap_financial_consolidation= 1010

🔴Vulnerability Details

OSV

request-tracker4 vulnerabilities↗2023-12-04

▶

GHSA

GHSA-5jf9-cm59-7568: SAP Financial Consolidation - version 1010, does not sufficiently encode user-controlled input which may allow an unauthenticated attacker to inject a↗2022-11-09

▶

CVEList

CVE-2022-41260: SAP Financial Consolidation - version 1010, does not sufficiently encode user-controlled input which may allow an unauthenticated attacker to inject a↗2022-11-08

▶