Vulnerability Details : CVE-2022-41273
Due to improper input sanitization in SAP Sourcing and SAP Contract Lifecycle Management - version 1100, an attacker can redirect a user to a malicious website. In order to perform this attack, the attacker sends an email to the victim with a manipulated link that appears to be a legitimate SAP Sourcing URL, since the victim doesn’t suspect the threat, they click on the link, log in to SAP Sourcing and CLM and at this point, they get redirected to a malicious website.
Vulnerability category: Open redirect
Exploit prediction scoring system (EPSS) score for CVE-2022-41273
Probability of exploitation activity in the next 30 days: 0.07%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 28 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-41273
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
SAP SE |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2022-41273
-
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Assigned by: cna@sap.com (Primary)
References for CVE-2022-41273
-
https://launchpad.support.sap.com/#/notes/3270399
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
Products affected by CVE-2022-41273
- cpe:2.3:a:sap:sourcing:1100:*:*:*:*:*:*:*
- cpe:2.3:a:sap:contract_lifecycle_manager:1100:*:*:*:*:*:*:*