CVE-2023-33991

EPSS 0.22%
Published 13.06.2023 03:15:09
Last modified 21.11.2024 08:06:21
Source cna@sap.com
Teams watchlist Login
Open Login

SAP UI5 Variant Management - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability. After successful exploitation, an attacker with user level access can cause high impact on confidentiality, modify some information and can cause unavailability of the application at user level.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Ui Version700

SAP ≫ Ui Version750

SAP ≫ Ui Version754

SAP ≫ Ui Version755

SAP ≫ Ui Version756

SAP ≫ Ui Version757

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.22%	0.444

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.2	2.3	5.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
cna@sap.com	8.2	2.3	5.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3324285

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-33991

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33991

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33991

EUVD