CVE-2023-24525

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.5%

top 34.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP CRM (webclient UI)SAP Customer Relationship Management Webclient UI SAP S4fnd

Timeline

PublishedFeb 14

Description

SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDsap/s4fnd1.02, 1.03+1

▶CVEListV5sap/crm_(webclient_ui)5 versions+4

▶NVDsap/customer_relationship_management_webclient_ui10 versions+9

🔴Vulnerability Details

GHSA

GHSA-5f56-53rv-c32c: SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Sc↗2023-02-14

▶

CVEList

CVE-2023-24525: SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Sc↗2023-02-14

▶