CVE-2024-37174

Summary

Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP CRM WebClient UIS4FND 102affected
SAP_SESAP CRM WebClient UIS4FND 103affected
SAP_SESAP CRM WebClient UIS4FND 104affected
SAP_SESAP CRM WebClient UIS4FND 105affected
SAP_SESAP CRM WebClient UIS4FND 106affected
SAP_SESAP CRM WebClient UIS4FND 107affected
SAP_SESAP CRM WebClient UIS4FND 108affected
SAP_SESAP CRM WebClient UIWEBCUIF 701affected
SAP_SESAP CRM WebClient UIWEBCUIF 731affected
SAP_SESAP CRM WebClient UIWEBCUIF 746affected
SAP_SESAP CRM WebClient UIWEBCUIF 747affected
SAP_SESAP CRM WebClient UIWEBCUIF 748affected
SAP_SESAP CRM WebClient UIWEBCUIF 800affected
SAP_SESAP CRM WebClient UIWEBCUIF 801affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References