CVE-2023-24529

Summary

Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.

Affected Software

VendorProductVersion RangeStatus
SAPNetWeaver AS ABAP (Business Server Pages application)700affected
SAPNetWeaver AS ABAP (Business Server Pages application)701affected
SAPNetWeaver AS ABAP (Business Server Pages application)702affected
SAPNetWeaver AS ABAP (Business Server Pages application)731affected
SAPNetWeaver AS ABAP (Business Server Pages application)740affected
SAPNetWeaver AS ABAP (Business Server Pages application)750affected
SAPNetWeaver AS ABAP (Business Server Pages application)751affected
SAPNetWeaver AS ABAP (Business Server Pages application)752affected
SAPNetWeaver AS ABAP (Business Server Pages application)75Caffected
SAPNetWeaver AS ABAP (Business Server Pages application)75Daffected
SAPNetWeaver AS ABAP (Business Server Pages application)75Eaffected
SAPNetWeaver AS ABAP (Business Server Pages application)75Faffected
SAPNetWeaver AS ABAP (Business Server Pages application)75Gaffected
SAPNetWeaver AS ABAP (Business Server Pages application)75Haffected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References