All the vulnerabilites related to sap - customer_relationship_management_s4fnd
Vulnerability from fkie_nvd
Published
2024-07-09 04:15
Modified
2024-11-21 09:23
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Custom CSS support option in SAP CRM WebClient
UI does not sufficiently encode user-controlled inputs resulting in Cross-Site
Scripting vulnerability. On successful exploitation an attacker can cause
limited impact on confidentiality and integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3467377 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3467377 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E0DA63-3FA7-4CC4-A14E-852A632C41BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "378861FE-CD5D-49A9-8245-538A91190064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1262DB-E4C8-4298-B423-5EF859CE722F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "F9D85325-56C8-4043-BDA8-C94FE946B912",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:*:*:*:*:*:*:*",
"matchCriteriaId": "42A51853-E87F-47A3-A257-86B28F8F4607",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:*:*:*:*:*:*:*",
"matchCriteriaId": "2250BB48-10D6-480F-AE9F-10582674CC9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:*:*:*:*:*:*:*",
"matchCriteriaId": "39AF19C9-275E-41E7-B80A-34E31620ABBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:*:*:*:*:*:*:*",
"matchCriteriaId": "2F220D25-9344-482A-A36C-9D743EA55DE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:*:*:*:*:*:*:*",
"matchCriteriaId": "48791122-7265-4C51-8AEB-DEBC199F9A7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:*:*:*:*:*:*:*",
"matchCriteriaId": "B9EEA160-B4B4-45E9-84C8-C26E52D6F329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:*:*:*:*:*:*:*",
"matchCriteriaId": "8BDBE717-ADB6-4080-A198-E468080F82B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8775BD-EAB8-4F08-B65D-35B704C0E36B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:*:*:*:*:*:*:*",
"matchCriteriaId": "2BFCEADC-7359-470F-A412-5B2808CF6069",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:*:*:*:*:*:*:*",
"matchCriteriaId": "A387786F-F4F6-44FC-B969-6FB92A1AA096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Custom CSS support option in SAP CRM WebClient\nUI does not sufficiently encode user-controlled inputs resulting in Cross-Site\nScripting vulnerability. On successful exploitation an attacker can cause\nlimited impact on confidentiality and integrity of the application."
},
{
"lang": "es",
"value": "La opci\u00f3n de soporte CSS personalizado en la interfaz de usuario de SAP CRM WebClient no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross Site Scripting. Si se explota con \u00e9xito, un atacante puede causar un impacto limitado en la confidencialidad y la integridad de la aplicaci\u00f3n."
}
],
"id": "CVE-2024-37174",
"lastModified": "2024-11-21T09:23:21.650",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-09T04:15:13.127",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-09 02:15
Modified
2024-11-21 08:00
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user's session. The information from the victim's session could then be modified or read by the attacker.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3315971 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3315971 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E0DA63-3FA7-4CC4-A14E-852A632C41BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "378861FE-CD5D-49A9-8245-538A91190064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1262DB-E4C8-4298-B423-5EF859CE722F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "F9D85325-56C8-4043-BDA8-C94FE946B912",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:*:*:*:*:*:*:*",
"matchCriteriaId": "42A51853-E87F-47A3-A257-86B28F8F4607",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:*:*:*:*:*:*:*",
"matchCriteriaId": "2250BB48-10D6-480F-AE9F-10582674CC9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:700:*:*:*:*:*:*:*",
"matchCriteriaId": "714452CB-D258-4BB8-A275-A860F644C505",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:*:*:*:*:*:*:*",
"matchCriteriaId": "2F220D25-9344-482A-A36C-9D743EA55DE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:*:*:*:*:*:*:*",
"matchCriteriaId": "48791122-7265-4C51-8AEB-DEBC199F9A7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:*:*:*:*:*:*:*",
"matchCriteriaId": "B9EEA160-B4B4-45E9-84C8-C26E52D6F329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:*:*:*:*:*:*:*",
"matchCriteriaId": "8BDBE717-ADB6-4080-A198-E468080F82B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8775BD-EAB8-4F08-B65D-35B704C0E36B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:*:*:*:*:*:*:*",
"matchCriteriaId": "2BFCEADC-7359-470F-A412-5B2808CF6069",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:*:*:*:*:*:*:*",
"matchCriteriaId": "A387786F-F4F6-44FC-B969-6FB92A1AA096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user\u0027s session. The information from the victim\u0027s session could then be modified or read by the attacker.\n\n"
}
],
"id": "CVE-2023-30742",
"lastModified": "2024-11-21T08:00:48.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-09T02:15:12.333",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3315971"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3315971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-09 04:15
Modified
2024-11-21 09:28
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
SAP CRM (WebClient UI Framework) allows an
authenticated attacker to enumerate accessible HTTP endpoints in the internal
network by specially crafting HTTP requests. On successful exploitation this
can result in information disclosure. It has no impact on integrity and
availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3467377 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3467377 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E0DA63-3FA7-4CC4-A14E-852A632C41BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "378861FE-CD5D-49A9-8245-538A91190064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1262DB-E4C8-4298-B423-5EF859CE722F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "F9D85325-56C8-4043-BDA8-C94FE946B912",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:*:*:*:*:*:*:*",
"matchCriteriaId": "42A51853-E87F-47A3-A257-86B28F8F4607",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:*:*:*:*:*:*:*",
"matchCriteriaId": "2250BB48-10D6-480F-AE9F-10582674CC9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:*:*:*:*:*:*:*",
"matchCriteriaId": "39AF19C9-275E-41E7-B80A-34E31620ABBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:*:*:*:*:*:*:*",
"matchCriteriaId": "2F220D25-9344-482A-A36C-9D743EA55DE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:*:*:*:*:*:*:*",
"matchCriteriaId": "48791122-7265-4C51-8AEB-DEBC199F9A7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:*:*:*:*:*:*:*",
"matchCriteriaId": "B9EEA160-B4B4-45E9-84C8-C26E52D6F329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:*:*:*:*:*:*:*",
"matchCriteriaId": "8BDBE717-ADB6-4080-A198-E468080F82B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8775BD-EAB8-4F08-B65D-35B704C0E36B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:*:*:*:*:*:*:*",
"matchCriteriaId": "2BFCEADC-7359-470F-A412-5B2808CF6069",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:*:*:*:*:*:*:*",
"matchCriteriaId": "A387786F-F4F6-44FC-B969-6FB92A1AA096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM (WebClient UI Framework) allows an\nauthenticated attacker to enumerate accessible HTTP endpoints in the internal\nnetwork by specially crafting HTTP requests. On successful exploitation this\ncan result in information disclosure. It has no impact on integrity and\navailability of the application."
},
{
"lang": "es",
"value": "SAP CRM (WebClient UI Framework) permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboraci\u00f3n especial de solicitudes HTTP. Si se explota con \u00e9xito, esto puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n. No tiene ning\u00fan impacto en la integridad y disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2024-39598",
"lastModified": "2024-11-21T09:28:05.417",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-09T04:15:14.860",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-09 05:15
Modified
2024-11-21 09:23
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
SAP CRM WebClient does not
perform necessary authorization check for an authenticated user, resulting in
escalation of privileges. This could allow an attacker to access some sensitive
information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3467377 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3467377 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E0DA63-3FA7-4CC4-A14E-852A632C41BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "378861FE-CD5D-49A9-8245-538A91190064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1262DB-E4C8-4298-B423-5EF859CE722F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "F9D85325-56C8-4043-BDA8-C94FE946B912",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:*:*:*:*:*:*:*",
"matchCriteriaId": "42A51853-E87F-47A3-A257-86B28F8F4607",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:*:*:*:*:*:*:*",
"matchCriteriaId": "2250BB48-10D6-480F-AE9F-10582674CC9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:*:*:*:*:*:*:*",
"matchCriteriaId": "39AF19C9-275E-41E7-B80A-34E31620ABBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:*:*:*:*:*:*:*",
"matchCriteriaId": "2F220D25-9344-482A-A36C-9D743EA55DE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:*:*:*:*:*:*:*",
"matchCriteriaId": "48791122-7265-4C51-8AEB-DEBC199F9A7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:*:*:*:*:*:*:*",
"matchCriteriaId": "B9EEA160-B4B4-45E9-84C8-C26E52D6F329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:*:*:*:*:*:*:*",
"matchCriteriaId": "8BDBE717-ADB6-4080-A198-E468080F82B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8775BD-EAB8-4F08-B65D-35B704C0E36B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:*:*:*:*:*:*:*",
"matchCriteriaId": "2BFCEADC-7359-470F-A412-5B2808CF6069",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:*:*:*:*:*:*:*",
"matchCriteriaId": "A387786F-F4F6-44FC-B969-6FB92A1AA096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient does not\nperform necessary authorization check for an authenticated user, resulting in\nescalation of privileges. This could allow an attacker to access some sensitive\ninformation."
},
{
"lang": "es",
"value": "SAP CRM WebClient no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto podr\u00eda permitir que un atacante acceda a informaci\u00f3n confidencial."
}
],
"id": "CVE-2024-37175",
"lastModified": "2024-11-21T09:23:21.793",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-09T05:15:11.823",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-09 04:15
Modified
2024-11-21 09:23
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Due to insufficient input validation, SAP
CRM WebClient UI allows an unauthenticated attacker to craft a URL link which
embeds a malicious script. When a victim clicks on this link, the script will
be executed in the victim's browser giving the attacker the ability to access
and/or modify information with no effect on availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3467377 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3467377 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E0DA63-3FA7-4CC4-A14E-852A632C41BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "378861FE-CD5D-49A9-8245-538A91190064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1262DB-E4C8-4298-B423-5EF859CE722F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "F9D85325-56C8-4043-BDA8-C94FE946B912",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:*:*:*:*:*:*:*",
"matchCriteriaId": "42A51853-E87F-47A3-A257-86B28F8F4607",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:*:*:*:*:*:*:*",
"matchCriteriaId": "2250BB48-10D6-480F-AE9F-10582674CC9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:*:*:*:*:*:*:*",
"matchCriteriaId": "39AF19C9-275E-41E7-B80A-34E31620ABBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:*:*:*:*:*:*:*",
"matchCriteriaId": "2F220D25-9344-482A-A36C-9D743EA55DE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:*:*:*:*:*:*:*",
"matchCriteriaId": "48791122-7265-4C51-8AEB-DEBC199F9A7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:*:*:*:*:*:*:*",
"matchCriteriaId": "B9EEA160-B4B4-45E9-84C8-C26E52D6F329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:*:*:*:*:*:*:*",
"matchCriteriaId": "8BDBE717-ADB6-4080-A198-E468080F82B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8775BD-EAB8-4F08-B65D-35B704C0E36B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:*:*:*:*:*:*:*",
"matchCriteriaId": "2BFCEADC-7359-470F-A412-5B2808CF6069",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:*:*:*:*:*:*:*",
"matchCriteriaId": "A387786F-F4F6-44FC-B969-6FB92A1AA096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to insufficient input validation, SAP\n CRM WebClient UI allows an unauthenticated attacker to craft a URL link which\n embeds a malicious script. When a victim clicks on this link, the script will\n be executed in the victim\u0027s browser giving the attacker the ability to access\n and/or modify information with no effect on availability of the application."
},
{
"lang": "es",
"value": "Debido a una validaci\u00f3n de entrada insuficiente, la interfaz de usuario de SAP CRM WebClient permite que un atacante no autenticado cree un enlace URL que incorpore un script malicioso. Cuando una v\u00edctima hace clic en este enlace, el script se ejecutar\u00e1 en el navegador de la v\u00edctima, d\u00e1ndole al atacante la capacidad de acceder y/o modificar informaci\u00f3n sin ning\u00fan efecto sobre la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2024-37173",
"lastModified": "2024-11-21T09:23:21.503",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-09T04:15:12.867",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3467377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-11 04:16
Modified
2024-11-21 07:56
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E0DA63-3FA7-4CC4-A14E-852A632C41BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "378861FE-CD5D-49A9-8245-538A91190064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1262DB-E4C8-4298-B423-5EF859CE722F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "F9D85325-56C8-4043-BDA8-C94FE946B912",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:700:*:*:*:*:*:*:*",
"matchCriteriaId": "714452CB-D258-4BB8-A275-A860F644C505",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:*:*:*:*:*:*:*",
"matchCriteriaId": "2F220D25-9344-482A-A36C-9D743EA55DE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:730:*:*:*:*:*:*:*",
"matchCriteriaId": "B0075805-C6FC-4E0D-9E1B-6ABA3A69F6C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:*:*:*:*:*:*:*",
"matchCriteriaId": "48791122-7265-4C51-8AEB-DEBC199F9A7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:*:*:*:*:*:*:*",
"matchCriteriaId": "B9EEA160-B4B4-45E9-84C8-C26E52D6F329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:*:*:*:*:*:*:*",
"matchCriteriaId": "8BDBE717-ADB6-4080-A198-E468080F82B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8775BD-EAB8-4F08-B65D-35B704C0E36B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:*:*:*:*:*:*:*",
"matchCriteriaId": "2BFCEADC-7359-470F-A412-5B2808CF6069",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:*:*:*:*:*:*:*",
"matchCriteriaId": "A387786F-F4F6-44FC-B969-6FB92A1AA096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields\n\n"
}
],
"id": "CVE-2023-29189",
"lastModified": "2024-11-21T07:56:41.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-11T04:16:09.283",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3269352"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3269352"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "cna@sap.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2024-37174
Vulnerability from cvelistv5
Published
2024-07-09 04:01
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
Custom CSS support option in SAP CRM WebClient
UI does not sufficiently encode user-controlled inputs resulting in Cross-Site
Scripting vulnerability. On successful exploitation an attacker can cause
limited impact on confidentiality and integrity of the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP_SE | SAP CRM WebClient UI |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: S4FND 108 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T14:42:49.319594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T16:31:22.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3467377"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "SAP CRM WebClient UI",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "S4FND 108"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Custom CSS support option in SAP CRM WebClient\nUI does not sufficiently encode user-controlled inputs resulting in Cross-Site\nScripting vulnerability. On successful exploitation an attacker can cause\nlimited impact on confidentiality and integrity of the application.\n\n\n\n"
}
],
"value": "Custom CSS support option in SAP CRM WebClient\nUI does not sufficiently encode user-controlled inputs resulting in Cross-Site\nScripting vulnerability. On successful exploitation an attacker can cause\nlimited impact on confidentiality and integrity of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T04:01:21.084Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3467377"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-37174",
"datePublished": "2024-07-09T04:01:21.084Z",
"dateReserved": "2024-06-04T07:49:42.491Z",
"dateUpdated": "2024-08-02T03:50:55.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-37173
Vulnerability from cvelistv5
Published
2024-07-09 03:57
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
Due to insufficient input validation, SAP
CRM WebClient UI allows an unauthenticated attacker to craft a URL link which
embeds a malicious script. When a victim clicks on this link, the script will
be executed in the victim's browser giving the attacker the ability to access
and/or modify information with no effect on availability of the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP_SE | SAP CRM WebClient UI |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: S4FND 108 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T18:32:22.208693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T18:32:29.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3467377"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM WebClient UI",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "S4FND 108"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\n \u003ctbody\u003e\u003ctr\u003e\n \u003ctd\u003e\n \u003cp\u003eDue to insufficient input validation, SAP\n CRM WebClient UI allows an unauthenticated attacker to craft a URL link which\n embeds a malicious script. When a victim clicks on this link, the script will\n be executed in the victim\u0027s browser giving the attacker the ability to access\n and/or modify information with no effect on availability of the application.\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\n\n\n\n\n\n"
}
],
"value": "Due to insufficient input validation, SAP\n CRM WebClient UI allows an unauthenticated attacker to craft a URL link which\n embeds a malicious script. When a victim clicks on this link, the script will\n be executed in the victim\u0027s browser giving the attacker the ability to access\n and/or modify information with no effect on availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T03:57:15.928Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3467377"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-37173",
"datePublished": "2024-07-09T03:57:15.928Z",
"dateReserved": "2024-06-04T07:49:42.491Z",
"dateUpdated": "2024-08-02T03:50:54.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-30742
Vulnerability from cvelistv5
Published
2023-05-09 01:35
Modified
2024-08-02 14:37
Severity ?
EPSS score ?
Summary
SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user's session. The information from the victim's session could then be modified or read by the attacker.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP_SE | SAP CRM (WebClient UI) |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: WEBCUIF 700 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.409Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3315971"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM (WebClient UI)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "WEBCUIF 700"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user\u0027s session. The information from the victim\u0027s session could then be modified or read by the attacker.\u003c/p\u003e"
}
],
"value": "SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user\u0027s session. The information from the victim\u0027s session could then be modified or read by the attacker.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T01:35:17.726Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://launchpad.support.sap.com/#/notes/3315971"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-30742",
"datePublished": "2023-05-09T01:35:17.726Z",
"dateReserved": "2023-04-14T06:01:02.875Z",
"dateUpdated": "2024-08-02T14:37:15.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39598
Vulnerability from cvelistv5
Published
2024-07-09 04:04
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
SAP CRM (WebClient UI Framework) allows an
authenticated attacker to enumerate accessible HTTP endpoints in the internal
network by specially crafting HTTP requests. On successful exploitation this
can result in information disclosure. It has no impact on integrity and
availability of the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP_SE | SAP CRM WebClient UI |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: S4FND 108 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39598",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T19:02:27.047209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T21:04:24.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3467377"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM WebClient UI",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "S4FND 108"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SAP CRM (WebClient UI Framework) allows an\nauthenticated attacker to enumerate accessible HTTP endpoints in the internal\nnetwork by specially crafting HTTP requests. On successful exploitation this\ncan result in information disclosure. It has no impact on integrity and\navailability of the application.\n\n\n\n"
}
],
"value": "SAP CRM (WebClient UI Framework) allows an\nauthenticated attacker to enumerate accessible HTTP endpoints in the internal\nnetwork by specially crafting HTTP requests. On successful exploitation this\ncan result in information disclosure. It has no impact on integrity and\navailability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T04:04:41.283Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3467377"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-39598",
"datePublished": "2024-07-09T04:04:41.283Z",
"dateReserved": "2024-06-26T09:58:24.096Z",
"dateUpdated": "2024-08-02T04:26:15.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-37175
Vulnerability from cvelistv5
Published
2024-07-09 04:07
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
SAP CRM WebClient does not
perform necessary authorization check for an authenticated user, resulting in
escalation of privileges. This could allow an attacker to access some sensitive
information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP_SE | SAP CRM WebClient UI |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: S4FND 108 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap_se:sap_crm_webclient_ui:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_crm_webclient_ui",
"vendor": "sap_se",
"versions": [
{
"lessThanOrEqual": "S4FND108",
"status": "affected",
"version": "S4FND102",
"versionType": "custom"
},
{
"status": "affected",
"version": "WEBCUIF701"
},
{
"status": "affected",
"version": "WEBCUIF731"
},
{
"lessThanOrEqual": "WEBCUIF748",
"status": "affected",
"version": "WEBCUIF746",
"versionType": "custom"
},
{
"lessThanOrEqual": "WEBCUIF801",
"status": "affected",
"version": "WEBCUIF800",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T14:15:29.646801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T14:35:21.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3467377"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM WebClient UI",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "S4FND 108"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SAP CRM WebClient does not\nperform necessary authorization check for an authenticated user, resulting in\nescalation of privileges. This could allow an attacker to access some sensitive\ninformation.\n\n\n\n"
}
],
"value": "SAP CRM WebClient does not\nperform necessary authorization check for an authenticated user, resulting in\nescalation of privileges. This could allow an attacker to access some sensitive\ninformation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T04:07:21.612Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3467377"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-37175",
"datePublished": "2024-07-09T04:07:21.612Z",
"dateReserved": "2024-06-04T07:49:42.491Z",
"dateUpdated": "2024-08-02T03:50:55.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-29189
Vulnerability from cvelistv5
Published
2023-04-11 03:11
Modified
2024-08-02 14:00
Severity ?
EPSS score ?
Summary
SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP | CRM (WebClient UI) |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: WEBCUIF 700 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 730 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3269352"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CRM (WebClient UI)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "WEBCUIF 700"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 730"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields\u003c/p\u003e"
}
],
"value": "SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T20:16:30.045Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://launchpad.support.sap.com/#/notes/3269352"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-29189",
"datePublished": "2023-04-11T03:11:30.554Z",
"dateReserved": "2023-04-03T09:22:43.158Z",
"dateUpdated": "2024-08-02T14:00:15.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}