CVE-2023-27499
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
11/04/2023
Last modified:
18/04/2023
Description
SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user&#39;s browser. The information from the victim&#39;s web browser can either be modified or read and sent to the attacker.<br />
<br />
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sap:netweaver:7.22ext:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:7.91:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page