cnvd - cnvd-2022-56965

cnvd-2022-56965

Vulnerability from cnvd

Title: SAP NetWeaver Portal跨站脚本漏洞（CNVD-2022-56965）

Description:

SAP NetWeaver Portal是德国思爱普（SAP）公司的是SAP NetWeaver体系结构中的组成部分。

SAP NetWeaver Portal 7.30版本、7.31版本、7.40版本和7.50版本存在跨站脚本漏洞，该漏洞源于未能充分验证用户控制的输入，攻击者可利用该漏洞可以执行任意脚本代码，从而导致窃取或修改用户的认证信息，比如与用户当前会话有关的数据。

Severity: 中

Patch Name: SAP NetWeaver Portal跨站脚本漏洞（CNVD-2022-56965）的补丁

Patch Description:

SAP NetWeaver Portal是德国思爱普（SAP）公司的是SAP NetWeaver体系结构中的组成部分。

SAP NetWeaver Portal 7.30版本、7.31版本、7.40版本和7.50版本存在跨站脚本漏洞，该漏洞源于未能充分验证用户控制的输入，攻击者可利用该漏洞可以执行任意脚本代码，从而导致窃取或修改用户的认证信息，比如与用户当前会话有关的数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://launchpad.support.sap.com/#/notes/3211760

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-35227

Impacted products

Name
['SAP NetWeaver Enterprise Portal 7.30', 'SAP NetWeaver Enterprise Portal 7.31', 'SAP NetWeaver Enterprise Portal 7.40', 'SAP NetWeaver Enterprise Portal 7.50']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-35227",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-35227"
    }
  },
  "description": "SAP NetWeaver Portal\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u662fSAP NetWeaver\u4f53\u7cfb\u7ed3\u6784\u4e2d\u7684\u7ec4\u6210\u90e8\u5206\u3002\n\nSAP NetWeaver Portal 7.30\u7248\u672c\u30017.31\u7248\u672c\u30017.40\u7248\u672c\u548c7.50\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u5145\u5206\u9a8c\u8bc1\u7528\u6237\u63a7\u5236\u7684\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\uff0c\u4ece\u800c\u5bfc\u81f4\u7a83\u53d6\u6216\u4fee\u6539\u7528\u6237\u7684\u8ba4\u8bc1\u4fe1\u606f\uff0c\u6bd4\u5982\u4e0e\u7528\u6237\u5f53\u524d\u4f1a\u8bdd\u6709\u5173\u7684\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://launchpad.support.sap.com/#/notes/3211760",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-56965",
  "openTime": "2022-08-11",
  "patchDescription": "SAP NetWeaver Portal\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u662fSAP NetWeaver\u4f53\u7cfb\u7ed3\u6784\u4e2d\u7684\u7ec4\u6210\u90e8\u5206\u3002\r\n\r\nSAP NetWeaver Portal 7.30\u7248\u672c\u30017.31\u7248\u672c\u30017.40\u7248\u672c\u548c7.50\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u5145\u5206\u9a8c\u8bc1\u7528\u6237\u63a7\u5236\u7684\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\uff0c\u4ece\u800c\u5bfc\u81f4\u7a83\u53d6\u6216\u4fee\u6539\u7528\u6237\u7684\u8ba4\u8bc1\u4fe1\u606f\uff0c\u6bd4\u5982\u4e0e\u7528\u6237\u5f53\u524d\u4f1a\u8bdd\u6709\u5173\u7684\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver Portal\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-56965\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP NetWeaver Enterprise Portal 7.30",
      "SAP NetWeaver Enterprise Portal 7.31",
      "SAP NetWeaver Enterprise Portal 7.40",
      "SAP NetWeaver Enterprise Portal 7.50"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-35227",
  "serverity": "\u4e2d",
  "submitTime": "2022-07-15",
  "title": "SAP NetWeaver Portal\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-56965\uff09"
}

CVE-2022-35227 (GCVE-0-2022-35227)

Vulnerability from cvelistv5

Published

2022-07-12 20:28

Modified

2024-08-03 09:29

Severity ?

CWE

CWE-79

Summary

A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session.

References

▼	URL	Tags
	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/3211760	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP NetWeaver Enterprise Portal (WPC)	Version: 7.30 Version: 7.31 Version: 7.40 Version: 7.50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:29:17.456Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3211760"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver Enterprise Portal (WPC)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "7.30"
            },
            {
              "status": "affected",
              "version": "7.31"
            },
            {
              "status": "affected",
              "version": "7.40"
            },
            {
              "status": "affected",
              "version": "7.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-12T20:28:29",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3211760"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2022-35227",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver Enterprise Portal (WPC)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "7.30"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.31"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.40"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.50"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "null",
            "vectorString": "null",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
              "refsource": "MISC",
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3211760",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3211760"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2022-35227",
    "datePublished": "2022-07-12T20:28:29",
    "dateReserved": "2022-07-05T00:00:00",
    "dateUpdated": "2024-08-03T09:29:17.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted