Vulnerability Details : CVE-2022-41273
Due to improper input sanitization in SAP Sourcing and SAP Contract Lifecycle Management - version 1100, an attacker can redirect a user to a malicious website. In order to perform this attack, the attacker sends an email to the victim with a manipulated link that appears to be a legitimate SAP Sourcing URL, since the victim doesn’t suspect the threat, they click on the link, log in to SAP Sourcing and CLM and at this point, they get redirected to a malicious website.
Vulnerability category: Open redirect
Products affected by CVE-2022-41273
- cpe:2.3:a:sap:sourcing:1100:*:*:*:*:*:*:*
- cpe:2.3:a:sap:contract_lifecycle_manager:1100:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41273
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41273
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
SAP SE | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2022-41273
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by: cna@sap.com (Primary)
References for CVE-2022-41273
-
https://launchpad.support.sap.com/#/notes/3270399
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
Jump to