CVE-2023-0021

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

6.1MEDIUM

EPSS

2.0%

top 16.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver SAP Netweaver

Timeline

PublishedMar 14

Latest updateOct 19

Description

Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDsap/netweaver6 versions+5

▶CVEListV5sap_se/sap_netweaver6 versions+5

🔴Vulnerability Details

GHSA

GHSA-42mg-mwh3-h53h: Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code t↗2023-03-14

▶

CVEList

Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver↗2023-03-14

▶

📋Vendor Advisories

VMware

VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)↗2023-10-19

▶