CVE-2024-41732

Summary

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could allow the attacker to read or modify information. There is no impact on availability of application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server ABAPSAP_UI 754affected
SAP_SESAP NetWeaver Application Server ABAP755affected
SAP_SESAP NetWeaver Application Server ABAP756affected
SAP_SESAP NetWeaver Application Server ABAP757affected
SAP_SESAP NetWeaver Application Server ABAP758affected
SAP_SESAP NetWeaver Application Server ABAPSAP_BASIS 700affected
SAP_SESAP NetWeaver Application Server ABAPSAP_BASIS 701affected
SAP_SESAP NetWeaver Application Server ABAPSAP_BASIS 702affected
SAP_SESAP NetWeaver Application Server ABAPSAP_BASIS 731affected
SAP_SESAP NetWeaver Application Server ABAPSAP_BASIS 912affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References