SAP NWBC for HTML Vulnerable to Cross-Site Scripting (XSS) Attacks
CVE-2024-22128

6.1MEDIUM

Key Information:

Vendor: SAP
Status: SAP NetWeaver Business Client for HTML
Vendor: CVE Published:; 13 February 2024

Summary

SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.

Affected Version(s)

SAP NetWeaver Business Client for HTML SAP_UI 754

SAP NetWeaver Business Client for HTML SAP_UI 755

SAP NetWeaver Business Client for HTML SAP_UI 756

References

https://me.sap.com/notes/3396109

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 13, 2024
Vulnerability Reserved
Jan 5, 2024