Vulnerability Details : CVE-2023-33991
SAP UI5 Variant Management - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability. After successful exploitation, an attacker with user level access can cause high impact on confidentiality, modify some information and can cause unavailability of the application at user level.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-33991
- cpe:2.3:a:sap:ui:750:*:*:*:*:*:*:*
- cpe:2.3:a:sap:ui:754:*:*:*:*:*:*:*
- cpe:2.3:a:sap:ui:755:*:*:*:*:*:*:*
- cpe:2.3:a:sap:ui:756:*:*:*:*:*:*:*
- cpe:2.3:a:sap:ui:757:*:*:*:*:*:*:*
- cpe:2.3:a:sap:ui:700:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-33991
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-33991
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L |
2.3
|
5.3
|
SAP SE | |
|
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L |
2.3
|
5.3
|
NIST |
CWE ids for CVE-2023-33991
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: cna@sap.com (Primary)
References for CVE-2023-33991
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
-
https://launchpad.support.sap.com/#/notes/3324285
SAP ONE Support Launchpad: Log OnPermissions Required
Jump to