CVE-2022-35294: XSS
First published: Tue Sep 13 2022(Updated: )
An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP NetWeaver Application Server ABAP | =7.22ext | |
| SAP NetWeaver Application Server ABAP | =7.49 | |
| SAP NetWeaver Application Server ABAP | =7.53 | |
| SAP NetWeaver Application Server ABAP | =7.54 | |
| SAP NetWeaver Application Server ABAP | =7.77 | |
| SAP NetWeaver Application Server ABAP | =7.81 | |
| SAP NetWeaver Application Server ABAP | =7.85 | |
| SAP NetWeaver Application Server ABAP | =7.89 | |
| SAP NetWeaver Application Server ABAP | =kernel_7.22 | |
| SAP NetWeaver Application Server ABAP | =krnl64nuc_7.22 | |
| SAP NetWeaver Application Server ABAP | =krnl64uc_7.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this security issue?
The vulnerability ID of this security issue is CVE-2022-35294.
What is the severity level of CVE-2022-35294?
The severity level of CVE-2022-35294 is medium with a CVSS score of 5.4.
How does CVE-2022-35294 impact SAP NetWeaver Application Server ABAP?
CVE-2022-35294 allows an attacker with basic business user privileges to upload a malicious file to SAP NetWeaver Application Server ABAP, which can lead to a stored Cross-Site-Scripting attack and information disclosure.
Which versions of SAP NetWeaver Application Server ABAP are affected by CVE-2022-35294?
SAP NetWeaver Application Server ABAP versions 7.22ext, 7.49, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, kernel_7.22, krnl64nuc_7.22, and krnl64uc_7.22 are affected by CVE-2022-35294.
What is the recommended action to fix CVE-2022-35294?
To fix CVE-2022-35294, it is recommended to apply the necessary security patches provided by SAP as mentioned in the SAP Notes 3218177.
- collector/nvd-index
- agent/weakness
- agent/type
- vendor/sap
- canonical/sap netweaver application server abap
- version/sap netweaver application server abap/7.22ext
- version/sap netweaver application server abap/7.49
- version/sap netweaver application server abap/7.53
- version/sap netweaver application server abap/7.54
- version/sap netweaver application server abap/7.77
- version/sap netweaver application server abap/7.81
- version/sap netweaver application server abap/7.85
- version/sap netweaver application server abap/7.89
- version/sap netweaver application server abap/kernel_7.22
- version/sap netweaver application server abap/krnl64nuc_7.22
- version/sap netweaver application server abap/krnl64uc_7.22