CVE-2023-33991

Published: Jun 13, 2023Modified: Nov 21, 2024

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Exploitability: 2.3 / Impact: 5.3

Source: NVD

Description

SAP UI5 Variant Management - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability. After successful exploitation, an attacker with user level access can cause high impact on confidentiality, modify some information and can cause unavailability of the application at user level.

Affected (6)

Products: Sap: Ui

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Sap Ui	Version 700
Sap Ui	Version 750
Sap Ui	Version 754
Sap Ui	Version 755
Sap Ui	Version 756
Sap Ui	Version 757

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://launchpad.support.sap.com/#/notes/3324285

Source: cna@sap.com

Permissions Required

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Source: cna@sap.com

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3324285

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.