CVE-2024-27902 - Vulnerability Details - OpenCVE

Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Sap	Netweaver As Abap

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_as_abap:sap_ui_7.89:::::::*
	cpe:2.3:a:sap:netweaver_as_abap:sap_ui_7.93:::::::*

No data.

References

Link	Providers
https://me.sap.com/notes/3377979
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364

History

Wed, 26 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap netweaver As Abap
CPEs		cpe:2.3:a:sap:netweaver_as_abap:sap_ui_7.89:::::::* cpe:2.3:a:sap:netweaver_as_abap:sap_ui_7.93:::::::*
Vendors & Products		Sap Sap netweaver As Abap

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2024-03-12T00:45:08.794Z

Updated: 2024-08-02T00:41:55.900Z

Reserved: 2024-02-27T06:26:16.787Z

Link: CVE-2024-27902

Vulnrichment

Updated: 2024-05-23T19:01:17.161Z

NVD

Status : Analyzed

Published: 2024-03-12T01:15:50.193

Modified: 2025-02-26T15:15:08.143

Link: CVE-2024-27902

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27902", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-02-27T06:26:16.787Z", "datePublished": "2024-03-12T00:45:08.794Z", "dateUpdated": "2024-08-02T00:41:55.900Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "7.89"}, {"status": "affected", "version": "7.93"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user\u2019s browser. There is no impact on the availability of the system</p>"}], "value": "Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user\u2019s browser. There is no impact on the availability of the system\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-03-12T00:45:08.794Z"}, "references": [{"url": "https://me.sap.com/notes/3377979"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T18:24:55.762101Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:47:26.941Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.900Z"}, "title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3377979", "tags": ["x_transferred"]}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27902", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-02-27T06:26:16.787Z", "datePublished": "2024-03-12T00:45:08.794Z", "dateUpdated": "2024-06-04T17:47:26.941Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "7.89"}, {"status": "affected", "version": "7.93"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user\u2019s browser. There is no impact on the availability of the system</p>"}], "value": "Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user\u2019s browser. There is no impact on the availability of the system\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-03-12T00:45:08.794Z"}, "references": [{"url": "https://me.sap.com/notes/3377979"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T18:24:55.762101Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:17.161Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_as_abap:sap_ui_7.89:*:*:*:*:*:*:*", "matchCriteriaId": "012E1427-6870-4531-97AF-77238A46C1E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap:sap_ui_7.93:*:*:*:*:*:*:*", "matchCriteriaId": "40AE9719-63A9-44F0-9974-66C77D04AAB0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u00a0A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user\u2019s browser. There is no impact on the availability of the system\n\n"}, {"lang": "es", "value": "Las aplicaciones basadas en SAP GUI para HTML en SAP NetWeaver AS ABAP (versiones 7.89, 7.93) no codifican suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de cross-site scripting (XSS). Un ataque exitoso puede permitir que un atacante malintencionado acceda y modifique datos a trav\u00e9s de su capacidad para ejecutar c\u00f3digo en el navegador de un usuario. No hay impacto en la disponibilidad del sistema."}], "id": "CVE-2024-27902", "lastModified": "2025-02-26T15:15:08.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "cna@sap.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-12T01:15:50.193", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3377979"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3377979"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cna@sap.com", "type": "Secondary"}]}