6.1

CVE-2024-22128

SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.

Data is provided by the National Vulnerability Database (NVD)
SAPNetweaver Business Client For Html Versionsap_basis_700
SAPNetweaver Business Client For Html Versionsap_basis_701
SAPNetweaver Business Client For Html Versionsap_basis_702
SAPNetweaver Business Client For Html Versionsap_basis_731
SAPNetweaver Business Client For Html Versionsap_ui_754
SAPNetweaver Business Client For Html Versionsap_ui_755
SAPNetweaver Business Client For Html Versionsap_ui_756
SAPNetweaver Business Client For Html Versionsap_ui_757
SAPNetweaver Business Client For Html Versionsap_ui_758
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.52% 0.659
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cna@sap.com 4.7 1.6 2.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://me.sap.com/notes/3396109
Permissions Required