Unauth Session Hijack via XSS in SAP NetWeaver AS ABAP BSP
CVE-2023-24522 Published on February 14, 2023
Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.
Vulnerability Analysis
CVE-2023-24522 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-24522 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-24522
stack.watch emails you whenever new vulnerabilities are published in SAP Netweaver Application Server Abap or SAP NetWeaver. Just hit a watch button to start following.
Affected Versions
SAP NetWeaver AS ABAP (BSP Framework):- Version 700 is affected.
- Version 701 is affected.
- Version 702 is affected.
- Version 731 is affected.
- Version 740 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.