CVE-2023-27499

Summary

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.

Affected Software

VendorProductVersion RangeStatus
SAP_SEGUI for HTMLKERNEL 7.22affected
SAP_SEGUI for HTMLKERNEL 7.53affected
SAP_SEGUI for HTMLKERNEL 7.54affected
SAP_SEGUI for HTMLKERNEL 7.77affected
SAP_SEGUI for HTMLKERNEL 7.81affected
SAP_SEGUI for HTMLKERNEL 7.85affected
SAP_SEGUI for HTMLKERNEL 7.89affected
SAP_SEGUI for HTMLKERNEL 7.91affected
SAP_SEGUI for HTMLKRNL64UC 7.22affected
SAP_SEGUI for HTMLKRNL64UC 7.22EXTaffected
SAP_SEGUI for HTMLKRNL64UC 7.53affected
SAP_SEGUI for HTMLKRNL64NUC 7.22affected
SAP_SEGUI for HTMLKRNL64NUC 7.22EXTaffected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References