ID

VAR-202304-0812


CVE

CVE-2023-27499


TITLE

SAP  of  SAP NetWeaver  and  SAP Netweaver Application Server ABAP  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-007137

DESCRIPTION

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker. SAP of SAP NetWeaver and SAP Netweaver Application Server ABAP Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

Trust: 1.62

sources: NVD: CVE-2023-27499 // JVNDB: JVNDB-2023-007137

AFFECTED PRODUCTS

vendor:sapmodel:netweaver application server abapscope:eqversion:7.89

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:krnl64uc_7.22

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:7.77

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:7.81

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:krnl64uc

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:7.22

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:7.54

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:7.85

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver application server abapscope:eqversion:7.91

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:7.22ext

Trust: 1.0

vendor:sapmodel:netweaverscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaver application server abapscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-007137 // NVD: CVE-2023-27499

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-27499
value: MEDIUM

Trust: 1.0

cna@sap.com: CVE-2023-27499
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-27499
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202304-708
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2023-27499
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 2.0

NVD: CVE-2023-27499
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-007137 // CNNVD: CNNVD-202304-708 // NVD: CVE-2023-27499 // NVD: CVE-2023-27499

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-007137 // NVD: CVE-2023-27499

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-708

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202304-708

PATCH

title:SAP GUI Fixes for cross-site scripting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=234165

Trust: 0.6

sources: CNNVD: CNNVD-202304-708

EXTERNAL IDS

db:NVDid:CVE-2023-27499

Trust: 3.2

db:JVNDBid:JVNDB-2023-007137

Trust: 0.8

db:CNNVDid:CNNVD-202304-708

Trust: 0.6

sources: JVNDB: JVNDB-2023-007137 // CNNVD: CNNVD-202304-708 // NVD: CVE-2023-27499

REFERENCES

url:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Trust: 2.4

url:https://launchpad.support.sap.com/#/notes/3275458

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2023-27499

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-27499/

Trust: 0.6

sources: JVNDB: JVNDB-2023-007137 // CNNVD: CNNVD-202304-708 // NVD: CVE-2023-27499

SOURCES

db:JVNDBid:JVNDB-2023-007137
db:CNNVDid:CNNVD-202304-708
db:NVDid:CVE-2023-27499

LAST UPDATE DATE

2024-08-14T14:49:11.051000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2023-007137date:2023-11-17T06:52:00
db:CNNVDid:CNNVD-202304-708date:2023-04-19T00:00:00
db:NVDid:CVE-2023-27499date:2023-04-18T16:02:19.700

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2023-007137date:2023-11-17T00:00:00
db:CNNVDid:CNNVD-202304-708date:2023-04-11T00:00:00
db:NVDid:CVE-2023-27499date:2023-04-11T03:15:07.547