FKIE_CVE-2024-34687

Vulnerability from fkie_nvd - Published: 2024-05-14 16:17 - Updated: 2025-10-23 20:28
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system.
References
cna@sap.comhttps://me.sap.com/notes/3448445Permissions Required
cna@sap.comhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news.htmlPatch
af854a3a-2127-422b-91ae-364da2661108https://me.sap.com/notes/3448445Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://support.sap.com/en/my-support/knowledge-base/security-notes-news.htmlPatch
Impacted products
Vendor Product Version
sap sap_basis 700
sap sap_basis 701
sap sap_basis 702
sap sap_basis 731
sap sap_basis 740
sap sap_basis 750
sap sap_basis 751
sap sap_basis 752
sap sap_basis 753
sap sap_basis 754
sap sap_basis 755
sap sap_basis 756
sap sap_basis 757
sap sap_basis 758
sap sap_basis 795
sap sap_basis 796
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
              "matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
              "matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
              "matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
              "matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:795:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD27E9BD-7102-4B8B-A75A-8A94678F8633",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis:796:*:*:*:*:*:*:*",
              "matchCriteriaId": "C70D7AC0-0389-4F7A-8ECC-B1BADB02418D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\nAn attacker can control code that is executed within a user\u2019s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user\u2019s session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system.\n"
    },
    {
      "lang": "es",
      "value": "SAP NetWeaver Application Server para ABAP y la plataforma ABAP no codifican suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross Site Scripting (XSS). Un atacante puede controlar el c\u00f3digo que se ejecuta dentro del navegador de un usuario, lo que podr\u00eda dar como resultado la modificaci\u00f3n, la eliminaci\u00f3n de datos, incluido el acceso o la eliminaci\u00f3n de archivos, o el robo de cookies de sesi\u00f3n que un atacante podr\u00eda usar para secuestrar la sesi\u00f3n de un usuario. Por lo tanto, esto podr\u00eda tener un impacto en la confidencialidad, la integridad y la disponibilidad del sistema."
    }
  ],
  "id": "CVE-2024-34687",
  "lastModified": "2025-10-23T20:28:16.217",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 3.7,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-05-14T16:17:26.143",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3448445"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Patch"
      ],
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3448445"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.