CVE-2023-23858

Summary

Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform740affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform750affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform751affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform752affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform753affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform754affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform755affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform756affected
SAP_SESAP NetWeaver AS for ABAP and ABAP Platform757affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References