Vulnerability Details : CVE-2023-29110
The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-29110
- cpe:2.3:a:sap:s4core:101:*:*:*:*:*:*:*
- cpe:2.3:a:sap:s4core:100:*:*:*:*:*:*:*
- cpe:2.3:a:sap:basis:755:*:*:*:*:*:*:*
- cpe:2.3:a:sap:basis:756:*:*:*:*:*:*:*
- cpe:2.3:a:sap:abap_platform:75c:*:*:*:*:*:*:*
- cpe:2.3:a:sap:abap_platform:75d:*:*:*:*:*:*:*
- cpe:2.3:a:sap:abap_platform:75e:*:*:*:*:*:*:*
- cpe:2.3:a:sap:application_interface_framework:aifx_702:*:*:*:*:*:*:*
- cpe:2.3:a:sap:application_interface_framework:aif_703:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-29110
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-29110
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
1.2
|
2.5
|
SAP SE | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2023-29110
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Assigned by: cna@sap.com (Secondary)
References for CVE-2023-29110
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
-
https://launchpad.support.sap.com/#/notes/3113349
SAP ONE Support Launchpad: Log OnPermissions Required
Jump to