FKIE_CVE-2024-37178

Vulnerability from fkie_nvd - Published: 2024-06-11 02:15 - Updated: 2024-11-21 09:23
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary
SAP Financial Consolidation does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. These endpoints are exposed over the network. The vulnerability can exploit resources beyond the vulnerable component. On successful exploitation, an attacker can cause limited impact to confidentiality of the application.
References
cna@sap.comhttps://me.sap.com/notes/3457592
cna@sap.comhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
af854a3a-2127-422b-91ae-364da2661108https://me.sap.com/notes/3457592
af854a3a-2127-422b-91ae-364da2661108https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Financial Consolidation does not\nsufficiently encode user-controlled inputs, resulting in Cross-Site Scripting\n(XSS) vulnerability. These endpoints are exposed over the network. The\nvulnerability can exploit resources beyond the vulnerable component. On\nsuccessful exploitation, an attacker can cause limited impact to\nconfidentiality of the application."
    },
    {
      "lang": "es",
      "value": "SAP Financial Consolidation no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS). Estos endpoints est\u00e1n expuestos a trav\u00e9s de la red. La vulnerabilidad puede explotar recursos m\u00e1s all\u00e1 del componente vulnerable. Si la explotaci\u00f3n tiene \u00e9xito, un atacante puede causar un impacto limitado en la confidencialidad de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2024-37178",
  "lastModified": "2024-11-21T09:23:22.227",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-11T02:15:09.487",
  "references": [
    {
      "source": "cna@sap.com",
      "url": "https://me.sap.com/notes/3457592"
    },
    {
      "source": "cna@sap.com",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://me.sap.com/notes/3457592"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.