SAP GUI for HTML 7.89/7.93 XSS via unsanitized input
CVE-2024-27902 Published on March 12, 2024
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI)
Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a users browser. There is no impact on the availability of the system
Vulnerability Analysis
CVE-2024-27902 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-27902 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-27902
Want to know whenever a new CVE is published for SAP Netweaver As Abap? stack.watch will email you.
Affected Versions
SAP_SE SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI):- Version 7.89 is affected.
- Version 7.93 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.