Vulnerability-Lookup

CVE-2022-35294 (GCVE-0-2022-35294)

Vulnerability from cvelistv5 – Published: 2022-09-13 15:43 – Updated: 2024-08-03 09:36

Summary

An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.

Severity

No CVSS data available.

CWE

CWE-79

Assigner

sap

References

2 references

URL	Tags
https://www.sap.com/documents/2022/02/fa865ea4-16…	x_refsource_MISC
https://launchpad.support.sap.com/#/notes/3218177	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
SAP SE	SAP NetWeaver AS ABAP	Affected: KRNL64NUC 7.22 Affected: 7.22EXT Affected: 7.49 Affected: KRNL64UC 7.22 Affected: 7.53 Affected: KERNEL 7.22 Affected: 7.77 Affected: 7.81 Affected: 7.85 Affected: 7.89 Affected: 7.54

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:36:43.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3218177"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver AS ABAP",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "KRNL64NUC 7.22"
            },
            {
              "status": "affected",
              "version": "7.22EXT"
            },
            {
              "status": "affected",
              "version": "7.49"
            },
            {
              "status": "affected",
              "version": "KRNL64UC 7.22"
            },
            {
              "status": "affected",
              "version": "7.53"
            },
            {
              "status": "affected",
              "version": "KERNEL 7.22"
            },
            {
              "status": "affected",
              "version": "7.77"
            },
            {
              "status": "affected",
              "version": "7.81"
            },
            {
              "status": "affected",
              "version": "7.85"
            },
            {
              "status": "affected",
              "version": "7.89"
            },
            {
              "status": "affected",
              "version": "7.54"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-21T18:48:24.000Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3218177"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2022-35294",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver AS ABAP",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "KRNL64NUC 7.22"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.22EXT"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.49"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "KRNL64UC 7.22"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.22EXT"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.49"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.53"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "KERNEL 7.22"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.49"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.53"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.77"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.81"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.85"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.89"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.54"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "null",
            "vectorString": "null",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
              "refsource": "MISC",
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3218177",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3218177"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2022-35294",
    "datePublished": "2022-09-13T15:43:33.000Z",
    "dateReserved": "2022-07-07T00:00:00.000Z",
    "dateUpdated": "2024-08-03T09:36:43.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-35294",
      "date": "2026-05-29",
      "epss": "0.00379",
      "percentile": "0.59677"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AF64539B-0DE2-4076-91B9-F03F4DDFAE2F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9FBC5614-7C3F-4AD8-8640-0499B8B03C64\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E8CB869-C342-4362-9A4A-298F0B5F4003\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"92EBF7BA-BB05-4946-9CA8-E170AB80ECA3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"89E7439E-F4D6-45EA-99FC-C9B34D4D590E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"252DCEF2-8DDF-467F-8869-B69A0A3426F8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9BC578BE-2308-491E-9D56-6B45AFF0FCFA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4C5C5010-9631-4C70-AD90-A0D16B03BFA5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6C07042F-C47F-441E-AB32-B58A066909E2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"23257C18-B75C-471C-9EAF-1E86DEE845FA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.\"}, {\"lang\": \"es\", \"value\": \"Un atacante con privilegios b\\u00e1sicos de usuario de negocio podr\\u00eda dise\\u00f1ar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego es descargado y visualizado por otros usuarios, dando lugar a un ataque de tipo Cross-Site-Scripting almacenado. Esto podr\\u00eda conllevar a una divulgaci\\u00f3n de informaci\\u00f3n, incluyendo el robo de informaci\\u00f3n de autenticaci\\u00f3n y una suplantaci\\u00f3n del usuario afectado\"}]",
      "id": "CVE-2022-35294",
      "lastModified": "2024-11-21T07:11:03.857",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
      "published": "2022-09-13T16:15:08.877",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/3218177\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/3218177\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-35294\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2022-09-13T16:15:08.877\",\"lastModified\":\"2024-11-21T07:11:03.857\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.\"},{\"lang\":\"es\",\"value\":\"Un atacante con privilegios b\u00e1sicos de usuario de negocio podr\u00eda dise\u00f1ar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego es descargado y visualizado por otros usuarios, dando lugar a un ataque de tipo Cross-Site-Scripting almacenado. Esto podr\u00eda conllevar a una divulgaci\u00f3n de informaci\u00f3n, incluyendo el robo de informaci\u00f3n de autenticaci\u00f3n y una suplantaci\u00f3n del usuario afectado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF64539B-0DE2-4076-91B9-F03F4DDFAE2F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FBC5614-7C3F-4AD8-8640-0499B8B03C64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E8CB869-C342-4362-9A4A-298F0B5F4003\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"92EBF7BA-BB05-4946-9CA8-E170AB80ECA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89E7439E-F4D6-45EA-99FC-C9B34D4D590E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"252DCEF2-8DDF-467F-8869-B69A0A3426F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BC578BE-2308-491E-9D56-6B45AFF0FCFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C5C5010-9631-4C70-AD90-A0D16B03BFA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6C07042F-C47F-441E-AB32-B58A066909E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23257C18-B75C-471C-9EAF-1E86DEE845FA\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/3218177\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3218177\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2022-AVI-819

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform versions 420, 430
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (CMC) versions 430
SAP	N/A	SAP Access Control version 12
SAP	N/A	SAP Knowledge Warehouse versions 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP NetWeaverASABAP versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.89, 7.54
SAP	NetWeaver Enterprise Portal	SAP NetWeaver Enterprise Portal (KMC) version 7.50
SAP	N/A	SAP SuccessFactors attachment API for Mobile Application(Android &iOS) versions antérieures à 8.0.5
SAP	N/A	SAP Business One version 10.0
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (Version Management System) versions 420, 430
SAP	N/A	SAP NetWeaverASABAP (SAPGUIfor HTML within the Fiori Launchpad) versions KERNEL 7.77, 7.81, 7.85, 7.89, 7.54
SAP	N/A	SAP Business Client versions 6.5, 7.0, 7.70
SAP	N/A	SAP NetWeaver ABAP Server and ABAP Platform versions 700, 701, 702, 731, 740, 750-757, 789
SAP	N/A	SAP NetWeaver ABAP Server and ABAP Platform versions 740, 750-756, 787

References

Title

Publication Time

CERTFR-2022-AVI-819

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform versions 420, 430
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (CMC) versions 430
SAP	N/A	SAP Access Control version 12
SAP	N/A	SAP Knowledge Warehouse versions 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP NetWeaverASABAP versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.89, 7.54
SAP	NetWeaver Enterprise Portal	SAP NetWeaver Enterprise Portal (KMC) version 7.50
SAP	N/A	SAP SuccessFactors attachment API for Mobile Application(Android &iOS) versions antérieures à 8.0.5
SAP	N/A	SAP Business One version 10.0
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (Version Management System) versions 420, 430
SAP	N/A	SAP NetWeaverASABAP (SAPGUIfor HTML within the Fiori Launchpad) versions KERNEL 7.77, 7.81, 7.85, 7.89, 7.54
SAP	N/A	SAP Business Client versions 6.5, 7.0, 7.70
SAP	N/A	SAP NetWeaver ABAP Server and ABAP Platform versions 700, 701, 702, 731, 740, 750-757, 789
SAP	N/A	SAP NetWeaver ABAP Server and ABAP Platform versions 740, 750-756, 787

References

Title

Publication Time

FKIE_CVE-2022-35294

Vulnerability from fkie_nvd - Published: 2022-09-13 16:15 - Updated: 2024-11-21 07:11

Severity

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/3218177	Permissions Required, Vendor Advisory
cna@sap.com	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/3218177	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	netweaver_application_server_abap	7.22ext
sap	netweaver_application_server_abap	7.49
sap	netweaver_application_server_abap	7.53
sap	netweaver_application_server_abap	7.54
sap	netweaver_application_server_abap	7.77
sap	netweaver_application_server_abap	7.81
sap	netweaver_application_server_abap	7.85
sap	netweaver_application_server_abap	7.89
sap	netweaver_application_server_abap	kernel_7.22
sap	netweaver_application_server_abap	krnl64nuc_7.22
sap	netweaver_application_server_abap	krnl64uc_7.22

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF64539B-0DE2-4076-91B9-F03F4DDFAE2F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FBC5614-7C3F-4AD8-8640-0499B8B03C64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E8CB869-C342-4362-9A4A-298F0B5F4003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*",
              "matchCriteriaId": "92EBF7BA-BB05-4946-9CA8-E170AB80ECA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*",
              "matchCriteriaId": "89E7439E-F4D6-45EA-99FC-C9B34D4D590E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*",
              "matchCriteriaId": "252DCEF2-8DDF-467F-8869-B69A0A3426F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BC578BE-2308-491E-9D56-6B45AFF0FCFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C5C5010-9631-4C70-AD90-A0D16B03BFA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "6C07042F-C47F-441E-AB32-B58A066909E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "23257C18-B75C-471C-9EAF-1E86DEE845FA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user."
    },
    {
      "lang": "es",
      "value": "Un atacante con privilegios b\u00e1sicos de usuario de negocio podr\u00eda dise\u00f1ar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego es descargado y visualizado por otros usuarios, dando lugar a un ataque de tipo Cross-Site-Scripting almacenado. Esto podr\u00eda conllevar a una divulgaci\u00f3n de informaci\u00f3n, incluyendo el robo de informaci\u00f3n de autenticaci\u00f3n y una suplantaci\u00f3n del usuario afectado"
    }
  ],
  "id": "CVE-2022-35294",
  "lastModified": "2024-11-21T07:11:03.857",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-13T16:15:08.877",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3218177"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3218177"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-PGXH-RPR4-8MR8

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-16 00:00

Details

Severity

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-35294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.",
  "id": "GHSA-pgxh-rpr4-8mr8",
  "modified": "2022-09-16T00:00:31Z",
  "published": "2022-09-14T00:00:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cla-assistant/cla-assistant/security/advisories/GHSA-jjjv-grgr-v8h3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35294"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3218177"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-35294

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-35294

Aliases

CVE-2022-35294

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-35294",
    "description": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.",
    "id": "GSD-2022-35294"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-35294"
      ],
      "details": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.",
      "id": "GSD-2022-35294",
      "modified": "2023-12-13T01:19:33.463310Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2022-35294",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP NetWeaver AS ABAP",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "KRNL64NUC 7.22"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.22EXT"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.49"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "KRNL64UC 7.22"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.22EXT"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.49"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.53"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "KERNEL 7.22"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.49"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.53"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.77"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.81"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.85"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.89"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.54"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "null",
          "vectorString": "null",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
            "refsource": "MISC",
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/3218177",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/3218177"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2022-35294"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/3218177",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3218177"
            },
            {
              "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-10-05T14:16Z",
      "publishedDate": "2022-09-13T16:15Z"
    }
  }
}

VAR-202209-0880

Vulnerability from variot - Updated: 2022-09-28 22:27

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202209-0880",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.85"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.53"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.54"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "krnl64uc_7.22"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "kernel_7.22"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.77"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.49"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "krnl64nuc_7.22"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.22ext"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.81"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.89"
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:krnl64nuc_7.22:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:kernel_7.22:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:krnl64uc_7.22:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.49:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.53:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.77:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.81:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.22ext:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.85:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.54:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:7.89:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "cve": "CVE-2022-35294",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.3,
            "id": "CVE-2022-35294",
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2022-35294",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202209-797",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ],
    "trust": 1.0
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-35294",
        "trust": 1.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "id": "VAR-202209-0880",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.094017096
  },
  "last_update_date": "2022-09-28T22:27:06.811000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SAP NetWeaver Application Server Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=207886"
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.6,
        "url": "https://launchpad.support.sap.com/#/notes/3218177"
      },
      {
        "trust": 1.6,
        "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
      },
      {
        "trust": 0.6,
        "url": "https://github.com/cla-assistant/cla-assistant/security/advisories/ghsa-jjjv-grgr-v8h3"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-39263"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2022-35294/"
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-09-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      },
      {
        "date": "2022-09-13T16:15:00",
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-09-22T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      },
      {
        "date": "2022-09-21T19:15:00",
        "db": "NVD",
        "id": "CVE-2022-35294"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SAP NetWeaver Application Server Cross-site scripting vulnerability",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      }
    ],
    "trust": 0.6
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202209-797"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-35294 (GCVE-0-2022-35294)

CERTFR-2022-AVI-819

Solution

CERTFR-2022-AVI-819

Solution

FKIE_CVE-2022-35294

GHSA-PGXH-RPR4-8MR8

GSD-2022-35294

VAR-202209-0880

Tags

Sightings

Nomenclature