cnvd - cnvd-2024-35657

cnvd-2024-35657

Vulnerability from cnvd

Title: SAP NetWeaver Application Server跨站脚本漏洞（CNVD-2024-35657）

Description:

SAP NetWeaver Application Server是德国思爱普（SAP）公司的一款应用程序服务器。

SAP NetWeaver Application Server ABAP Platform存在跨站脚本漏洞，该漏洞源于缺少不受信任数据的输入验证和输出编码，未经身份验证的攻击者可利用该漏洞将恶意JavaScript代码注入动态制作的网页中。

Severity: 中

Patch Name: SAP NetWeaver Application Server跨站脚本漏洞（CNVD-2024-35657）的补丁

Patch Description:

SAP NetWeaver Application Server是德国思爱普（SAP）公司的一款应用程序服务器。

SAP NetWeaver Application Server ABAP Platform存在跨站脚本漏洞，该漏洞源于缺少不受信任数据的输入验证和输出编码，未经身份验证的攻击者可利用该漏洞将恶意JavaScript代码注入动态制作的网页中。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2024.html

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-32733

Impacted products

Name
SAP SAP NetWeaver Application Server

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-32733",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-32733"
    }
  },
  "description": "SAP NetWeaver Application Server\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3002\n\nSAP NetWeaver Application Server ABAP Platform\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f3a\u5c11\u4e0d\u53d7\u4fe1\u4efb\u6570\u636e\u7684\u8f93\u5165\u9a8c\u8bc1\u548c\u8f93\u51fa\u7f16\u7801\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u6076\u610fJavaScript\u4ee3\u7801\u6ce8\u5165\u52a8\u6001\u5236\u4f5c\u7684\u7f51\u9875\u4e2d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2024.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-35657",
  "openTime": "2024-08-19",
  "patchDescription": "SAP NetWeaver Application Server\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3002\r\n\r\nSAP NetWeaver Application Server ABAP Platform\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f3a\u5c11\u4e0d\u53d7\u4fe1\u4efb\u6570\u636e\u7684\u8f93\u5165\u9a8c\u8bc1\u548c\u8f93\u51fa\u7f16\u7801\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u6076\u610fJavaScript\u4ee3\u7801\u6ce8\u5165\u52a8\u6001\u5236\u4f5c\u7684\u7f51\u9875\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver Application Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-35657\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "SAP SAP NetWeaver Application Server"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-32733",
  "serverity": "\u4e2d",
  "submitTime": "2024-05-30",
  "title": "SAP NetWeaver Application Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-35657\uff09"
}

CVE-2024-32733 (GCVE-0-2024-32733)

Vulnerability from cvelistv5

Published

2024-05-14 03:38

Modified

2024-08-02 02:20

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application

References

▼	URL	Tags
	https://me.sap.com/notes/3450286
	https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP NetWeaver Application Server ABAP and ABAP Platform	Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 751 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 Version: SAP_BASIS 795 Version: SAP_BASIS 796

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32733",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-15T19:24:35.277824Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:50:43.945Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:20:35.550Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/3450286"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP NetWeaver Application Server ABAP and ABAP Platform ",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "SAP_BASIS 740"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 750"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 751"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 752"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 753"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 754"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 755"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 756"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 757"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 758"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 795"
            },
            {
              "status": "affected",
              "version": "SAP_BASIS 796"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDue to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emodify\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e sensitive information with no impact on availability of the application\u003c/span\u003e\n\n"
            }
          ],
          "value": "\nDue to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-14T03:38:19.474Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3450286"
        },
        {
          "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-32733",
    "datePublished": "2024-05-14T03:38:19.474Z",
    "dateReserved": "2024-04-17T10:46:51.752Z",
    "dateUpdated": "2024-08-02T02:20:35.550Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted