CVE-2024-34686 — Cross-site Scripting in SE SAP CRM Webclient UI

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.6%

top 29.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP CRM Webclient UI SAP Customer Relationship Management Webclient UI

Timeline

PublishedJun 11

Description

Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_crm_webclient_ui15 versions+14

▶NVDsap/customer_relationship_management_webclient_ui15 versions+14

Patches

Patch: support.sap.com ↗Patch: support.sap.com ↗

🔴Vulnerability Details

CVEList

Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)↗2024-06-11

▶

GHSA

GHSA-4h5h-v89j-3c37: Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script↗2024-06-11

▶