Vulnerabilites related to sap - s4fnd
CVE-2019-0244 (GCVE-0-2019-0244)
Vulnerability from cvelistv5
Published
2019-01-08 20:00
Modified
2024-08-04 17:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | SAP SE | SAP CRM WebClient UI (SAPSCORE) |
Version: < 1.12 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM WebClient UI (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12"
}
]
},
{
"product": "SAP CRM WebClient UI (S4FND)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.02"
}
]
},
{
"product": "SAP CRM WebClient UI (WEBCUIF)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.46"
},
{
"status": "affected",
"version": "\u003c 7.47"
},
{
"status": "affected",
"version": "\u003c 7.48"
},
{
"status": "affected",
"version": "\u003c 8.0"
},
{
"status": "affected",
"version": "\u003c 8.01"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM WebClient UI (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (S4FND)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (WEBCUIF)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.46"
},
{
"version_name": "\u003c",
"version_value": "7.47"
},
{
"version_name": "\u003c",
"version_value": "7.48"
},
{
"version_name": "\u003c",
"version_value": "8.0"
},
{
"version_name": "\u003c",
"version_value": "8.01"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2588763",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106473"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0244",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24525 (GCVE-0-2023-24525)
Vulnerability from cvelistv5
Published
2023-02-14 03:18
Modified
2025-03-20 20:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | CRM (WebClient UI) |
Version: WEBCUIF 748 Version: 800 Version: 801 Version: S4FND 102 Version: 103 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:56:04.230Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2788178"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T20:22:47.832336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T20:22:57.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CRM (WebClient UI)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "801"
},
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "103"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.\u003c/p\u003e"
}
],
"value": "SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T21:25:50.210Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://launchpad.support.sap.com/#/notes/2788178"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-24525",
"datePublished": "2023-02-14T03:18:24.206Z",
"dateReserved": "2023-01-25T15:46:55.581Z",
"dateUpdated": "2025-03-20T20:22:57.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2364 (GCVE-0-2018-2364)
Vulnerability from cvelistv5
Published
2018-02-14 12:00
Modified
2024-08-05 04:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting (XSS)
Summary
SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ► | SAP SE | SAP CRM WebClient UI |
Version: 7.01 Version: 7.31 Version: 7.46 Version: 7.47 Version: 7.48 Version: 8.00 Version: 8.01 |
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:14:39.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103002",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103002"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2541700"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM WebClient UI",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "7.01"
},
{
"status": "affected",
"version": "7.31"
},
{
"status": "affected",
"version": "7.46"
},
{
"status": "affected",
"version": "7.47"
},
{
"status": "affected",
"version": "7.48"
},
{
"status": "affected",
"version": "8.00"
},
{
"status": "affected",
"version": "8.01"
}
]
},
{
"product": "S4FND",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "1.02"
}
]
}
],
"datePublic": "2018-02-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-15T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"name": "103002",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103002"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2541700"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2364",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM WebClient UI",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.01"
},
{
"version_affected": "=",
"version_value": "7.31"
},
{
"version_affected": "=",
"version_value": "7.46"
},
{
"version_affected": "=",
"version_value": "7.47"
},
{
"version_affected": "=",
"version_value": "7.48"
},
{
"version_affected": "=",
"version_value": "8.00"
},
{
"version_affected": "=",
"version_value": "8.01"
}
]
}
},
{
"product_name": "S4FND",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.02"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103002",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103002"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2541700",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2541700"
},
{
"name": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2364",
"datePublished": "2018-02-14T12:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:14:39.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0245 (GCVE-0-2019-0245)
Vulnerability from cvelistv5
Published
2019-01-08 20:00
Modified
2024-08-04 17:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | SAP SE | SAP CRM WebClient UI (SAPSCORE) |
Version: < 1.12 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM WebClient UI (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12"
}
]
},
{
"product": "SAP CRM WebClient UI (S4FND)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.02"
}
]
},
{
"product": "SAP CRM WebClient UI (WEBCUIF)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.46"
},
{
"status": "affected",
"version": "\u003c 7.47"
},
{
"status": "affected",
"version": "\u003c 7.48"
},
{
"status": "affected",
"version": "\u003c 8.0"
},
{
"status": "affected",
"version": "\u003c 8.01"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0245",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM WebClient UI (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (S4FND)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (WEBCUIF)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.46"
},
{
"version_name": "\u003c",
"version_value": "7.47"
},
{
"version_name": "\u003c",
"version_value": "7.48"
},
{
"version_name": "\u003c",
"version_value": "8.0"
},
{
"version_name": "\u003c",
"version_value": "8.01"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2588763",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106468"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0245",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29188 (GCVE-0-2023-29188)
Vulnerability from cvelistv5
Published
2023-05-09 00:57
Modified
2025-01-28 16:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP CRM WebClient UI |
Version: SAPSCORE 129 Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T16:13:12.372471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T16:13:33.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM WebClient UI",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAPSCORE 129"
},
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\u003c/p\u003e"
}
],
"value": "SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T00:57:57.055Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-29188",
"datePublished": "2023-05-09T00:57:57.055Z",
"dateReserved": "2023-04-03T09:22:43.158Z",
"dateUpdated": "2025-01-28T16:13:33.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-01-08 20:29
Modified
2024-11-21 04:16
Severity ?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106468 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106468 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management_webclient_ui | 7.31 | |
| sap | customer_relationship_management_webclient_ui | 7.46 | |
| sap | customer_relationship_management_webclient_ui | 7.47 | |
| sap | customer_relationship_management_webclient_ui | 7.48 | |
| sap | customer_relationship_management_webclient_ui | 8.00 | |
| sap | customer_relationship_management_webclient_ui | 8.01 | |
| sap | s4fnd | 1.02 | |
| sap | sapscore | 1.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA5DC54-236B-4832-AA79-6EC111EFFBF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4056C921-05B8-4465-96CD-429B520AA6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sapscore:1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "16B411D4-96AC-4706-97EA-E2694319154A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "SAP CRM WebClient UI (solucionado en SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) no valida suficientemente los campos ocultos controlados por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2019-0245",
"lastModified": "2024-11-21T04:16:34.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-08T20:29:00.783",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-09 01:15
Modified
2024-11-21 07:56
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management_webclient_ui | 7.01 | |
| sap | customer_relationship_management_webclient_ui | 7.31 | |
| sap | customer_relationship_management_webclient_ui | 7.46 | |
| sap | customer_relationship_management_webclient_ui | 7.47 | |
| sap | customer_relationship_management_webclient_ui | 7.48 | |
| sap | customer_relationship_management_webclient_ui | 8.00 | |
| sap | customer_relationship_management_webclient_ui | 8.01 | |
| sap | s4fnd | 1.02 | |
| sap | s4fnd | 102 | |
| sap | s4fnd | 103 | |
| sap | s4fnd | 104 | |
| sap | s4fnd | 105 | |
| sap | s4fnd | 106 | |
| sap | s4fnd | 107 | |
| sap | sapscore | 129 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.01:*:*:*:*:*:*:*",
"matchCriteriaId": "314EA6B5-D3E3-4559-A34A-51A6BB4F3E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA5DC54-236B-4832-AA79-6EC111EFFBF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4056C921-05B8-4465-96CD-429B520AA6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "FEA8EA38-C0D1-4EB0-93D5-DEBA8446E685",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "43ED5850-580C-40F2-ABCD-CCA33B63D4CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "104C4099-341D-4796-8425-D61A44FB7839",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "66A663D3-247D-497E-8CE3-4D21E4A43C99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:106:*:*:*:*:*:*:*",
"matchCriteriaId": "09C81075-4864-47A7-9851-DD46EE9B2E78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:107:*:*:*:*:*:*:*",
"matchCriteriaId": "54AD7034-006C-4698-BF4F-D3584D88EC77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sapscore:129:*:*:*:*:*:*:*",
"matchCriteriaId": "4ACAA9A2-5CD6-4C6B-829B-CB534FADFAD2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\n\n"
}
],
"id": "CVE-2023-29188",
"lastModified": "2024-11-21T07:56:40.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-09T01:15:08.943",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Broken Link"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-01-08 20:29
Modified
2024-11-21 04:16
Severity ?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106473 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106473 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management_webclient_ui | 7.31 | |
| sap | customer_relationship_management_webclient_ui | 7.46 | |
| sap | customer_relationship_management_webclient_ui | 7.47 | |
| sap | customer_relationship_management_webclient_ui | 7.48 | |
| sap | customer_relationship_management_webclient_ui | 8.00 | |
| sap | customer_relationship_management_webclient_ui | 8.01 | |
| sap | s4fnd | 1.02 | |
| sap | sapscore | 1.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA5DC54-236B-4832-AA79-6EC111EFFBF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4056C921-05B8-4465-96CD-429B520AA6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sapscore:1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "16B411D4-96AC-4706-97EA-E2694319154A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "SAP CRM WebClient UI (solucionado en SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) no valida suficientemente los campos ocultos controlados por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2019-0244",
"lastModified": "2024-11-21T04:16:34.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-08T20:29:00.737",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:48
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2788178 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2788178 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.00:*:*:*:*:*:*:*",
"matchCriteriaId": "DE87D61B-2E55-4F32-8837-DD3D77FF7A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.01:*:*:*:*:*:*:*",
"matchCriteriaId": "314EA6B5-D3E3-4559-A34A-51A6BB4F3E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.02:*:*:*:*:*:*:*",
"matchCriteriaId": "F6B9BEF2-5E40-465B-A728-484B6F9488E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.40:*:*:*:*:*:*:*",
"matchCriteriaId": "D4E90CCA-F2D8-4EB3-A4F5-4705F7F8DB67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.50:*:*:*:*:*:*:*",
"matchCriteriaId": "EAF34241-C022-40FE-AB27-16D8EE537429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.52:*:*:*:*:*:*:*",
"matchCriteriaId": "6514BD40-D078-46D6-811C-B26E9692EF96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "64D4BFFA-2E36-480B-83BB-199CB765659C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.\n\n"
}
],
"id": "CVE-2023-24525",
"lastModified": "2024-11-21T07:48:03.267",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-14T04:15:12.770",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2788178"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2788178"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-14 12:29
Modified
2024-11-21 04:03
Severity ?
Summary
SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/103002 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/ | Vendor Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2541700 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103002 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2541700 | Permissions Required |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.01:*:*:*:*:*:*:*",
"matchCriteriaId": "314EA6B5-D3E3-4559-A34A-51A6BB4F3E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA5DC54-236B-4832-AA79-6EC111EFFBF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4056C921-05B8-4465-96CD-429B520AA6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01 y S4FND 1.02, no valida suficientemente y/o codifica los campos ocultos, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2018-2364",
"lastModified": "2024-11-21T04:03:41.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-14T12:29:00.233",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103002"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2541700"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2541700"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}