cve-2024-33002
Vulnerability from cvelistv5
Published
2024-05-14 03:49
Modified
2024-08-02 02:27
Severity ?
EPSS score ?
Summary
Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS)
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP S/4HANA (Document Service Handler for DPS) |
Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 751 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-33002", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-14T16:50:08.558354Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:45:19.318Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T02:27:53.478Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://me.sap.com/notes/3460772" }, { "tags": [ "x_transferred" ], "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP S/4HANA (Document Service Handler for DPS)", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "SAP_BASIS 740" }, { "status": "affected", "version": "SAP_BASIS 750" }, { "status": "affected", "version": "SAP_BASIS 751" }, { "status": "affected", "version": "SAP_BASIS 752" }, { "status": "affected", "version": "SAP_BASIS 753" }, { "status": "affected", "version": "SAP_BASIS 754" }, { "status": "affected", "version": "SAP_BASIS 755" }, { "status": "affected", "version": "SAP_BASIS 756" }, { "status": "affected", "version": "SAP_BASIS 757" }, { "status": "affected", "version": "SAP_BASIS 758" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Document Service handler (obsolete) in Data Provisioning Service does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability with low impact on Confidentiality and Integrity of the application." } ], "value": "Document Service handler (obsolete) in Data Provisioning Service does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability with low impact on Confidentiality and Integrity of the application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-14T04:02:24.237Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3460772" }, { "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS)", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-33002", "datePublished": "2024-05-14T03:49:25.148Z", "dateReserved": "2024-04-23T04:04:25.520Z", "dateUpdated": "2024-08-02T02:27:53.478Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-33002\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2024-05-14T16:17:13.510\",\"lastModified\":\"2024-11-21T09:16:12.620\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Document Service handler (obsolete) in Data Provisioning Service does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability with low impact on Confidentiality and Integrity of the application.\"},{\"lang\":\"es\",\"value\":\"El controlador del servicio de documentos (obsoleto) en Data Provisioning Service no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross Site Scripting (XSS) con bajo impacto en la confidencialidad y la integridad de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3460772\",\"source\":\"cna@sap.com\"},{\"url\":\"https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html\",\"source\":\"cna@sap.com\"},{\"url\":\"https://me.sap.com/notes/3460772\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.