CVE-2023-24525 : SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not

SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.

Published 2023-02-14 04:15:13

Updated 2023-04-11 22:15:08

Source SAP SE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-24525

SAP » Customer Relationship Management Webclient Ui » Version: 7.48
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 8.00
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 8.01
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 7.31
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 7.01
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.01:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 7.00
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.00:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 7.02
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.02:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 7.40
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.40:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 7.50
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.50:*:*:*:*:*:*:*
Matching versions
SAP » Customer Relationship Management Webclient Ui » Version: 7.52
cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.52:*:*:*:*:*:*:*
Matching versions
SAP » S4fnd » Version: 1.02
cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*
Matching versions
SAP » S4fnd » Version: 1.03
cpe:2.3:a:sap:s4fnd:1.03:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-24525

EPSS FAQ

0.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 61 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-24525

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	2.8	1.4	SAP SE
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-24525

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: cna@sap.com (Primary)

References for CVE-2023-24525

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

SAP Patch Day Blog
Vendor Advisory

CVEs referencing this url
https://launchpad.support.sap.com/#/notes/2788178

SAP ONE Support Launchpad: Log On
Permissions Required;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-24525

Products affected by CVE-2023-24525

Exploit prediction scoring system (EPSS) score for CVE-2023-24525

CVSS scores for CVE-2023-24525

CWE ids for CVE-2023-24525

References for CVE-2023-24525