Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML
CVE-2023-27499

6.1MEDIUM

Key Information:

Vendor: SAP
Status: GUI for HTML
Vendor: CVE Published:; 11 April 2023

Summary

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.

Affected Version(s)

GUI for HTML KERNEL 7.22

GUI for HTML KERNEL 7.53

GUI for HTML KERNEL 7.54

References

https://launchpad.support.sap.com/#/notes/3275458

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 11, 2023
Vulnerability Reserved
Mar 2, 2023