CVE-2022-41262

CWE-79 — Cross-site Scripting (XSS)CWE-20 — Improper Input Validation3 documents3 sources

Severity

6.1MEDIUM

EPSS

1.3%

top 20.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Netweaver AS FOR Java (http Provider Service)SAP Netweaver Application Server Java

Timeline

PublishedDec 12

Latest updateDec 13

Description

Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap/netweaver_as_for_java_(http_provider_service)7.50

▶NVDsap/netweaver_application7.50

🔴Vulnerability Details

GHSA

GHSA-vwhx-5rv8-vg6x: Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7↗2022-12-13

▶

CVEList

CVE-2022-41262: Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7↗2022-12-12

▶