CVE-2023-27499 : SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.9

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.

Published 2023-04-11 03:15:08

Updated 2023-04-18 16:02:20

Source SAP SE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-27499

SAP » Netweaver » Version: 7.22ext
cpe:2.3:a:sap:netweaver:7.22ext:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.81
cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.85
cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.89
cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.54
cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: Krnl64uc 7.22
cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.53
cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.77
cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.22
cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: 7.91
cpe:2.3:a:sap:netweaver_application_server_abap:7.91:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Abap » Version: Krnl64uc
cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-27499

EPSS FAQ

0.42%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 61 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-27499

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	SAP SE
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-27499

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- cna@sap.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-27499

https://launchpad.support.sap.com/#/notes/3275458

SAP ONE Support Launchpad: Log On
Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

SAP Patch Day Blog
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-27499

Products affected by CVE-2023-27499

Exploit prediction scoring system (EPSS) score for CVE-2023-27499

CVSS scores for CVE-2023-27499

CWE ids for CVE-2023-27499

References for CVE-2023-27499