CVE-2024-42378

Summary

Due to weak encoding of user-controlled inputs, eProcurement on SAP S/4HANA allows malicious scripts to be executed in the application, potentially leading to a Reflected Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP S/4HANA eProcurementSAP_APPL 606affected
SAP_SESAP S/4HANA eProcurementSAP_APPL 617affected
SAP_SESAP S/4HANA eProcurementSAP_APPL 618affected
SAP_SESAP S/4HANA eProcurementS4CORE 102affected
SAP_SESAP S/4HANA eProcurementS4CORE 103affected
SAP_SESAP S/4HANA eProcurementS4CORE 104affected
SAP_SESAP S/4HANA eProcurementS4CORE 105affected
SAP_SESAP S/4HANA eProcurementS4CORE 106affected
SAP_SESAP S/4HANA eProcurementS4CORE 107affected
SAP_SESAP S/4HANA eProcurementS4CORE 108affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References