6.1

CVE-2022-41273

EPSS 0.55%
Published 13.12.2022 04:15:25
Last modified 21.11.2024 07:22:57
Source cna@sap.com
Teams watchlist Login
Open Login

Due to improper input sanitization in SAP Sourcing and SAP Contract Lifecycle Management - version 1100, an attacker can redirect a user to a malicious website. In order to perform this attack, the attacker sends an email to the victim with a manipulated link that appears to be a legitimate SAP Sourcing URL, since the victim doesn’t suspect the threat, they click on the link, log in to SAP Sourcing and CLM and at this point, they get redirected to a malicious website.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Contract Lifecycle Manager Version1100

SAP ≫ Sourcing Version1100

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.55%	0.67

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cna@sap.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3270399

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-41273

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-41273

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-41273

EUVD