CVE-2022-35294

Summary

An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP NetWeaver AS ABAPKRNL64NUC 7.22affected
SAP SESAP NetWeaver AS ABAP7.22EXTaffected
SAP SESAP NetWeaver AS ABAP7.49affected
SAP SESAP NetWeaver AS ABAPKRNL64UC 7.22affected
SAP SESAP NetWeaver AS ABAP7.53affected
SAP SESAP NetWeaver AS ABAPKERNEL 7.22affected
SAP SESAP NetWeaver AS ABAP7.77affected
SAP SESAP NetWeaver AS ABAP7.81affected
SAP SESAP NetWeaver AS ABAP7.85affected
SAP SESAP NetWeaver AS ABAP7.89affected
SAP SESAP NetWeaver AS ABAP7.54affected

Weaknesses

  • CWE-79: CWE-79

ADP Enrichment

CVE Program Container

Additional References

References