CVE-2023-24529: XSS
First published: Tue Feb 14 2023(Updated: )
Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP NetWeaver AS ABAP Business Server Pages | =7.00 | |
| SAP NetWeaver AS ABAP Business Server Pages | =7.01 | |
| SAP NetWeaver AS ABAP Business Server Pages | =7.02 | |
| SAP NetWeaver AS ABAP Business Server Pages | =7.31 | |
| SAP NetWeaver AS ABAP Business Server Pages | =7.40 | |
| SAP NetWeaver AS ABAP Business Server Pages | =7.50 | |
| SAP NetWeaver AS ABAP Business Server Pages | =7.51 | |
| SAP NetWeaver AS ABAP Business Server Pages | =7.52 | |
| SAP NetWeaver AS ABAP Business Server Pages | =75c | |
| SAP NetWeaver AS ABAP Business Server Pages | =75d | |
| SAP NetWeaver AS ABAP Business Server Pages | =75e | |
| SAP NetWeaver AS ABAP Business Server Pages | =75f | |
| SAP NetWeaver AS ABAP Business Server Pages | =75g | |
| SAP NetWeaver AS ABAP Business Server Pages | =75h |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-24529?
CVE-2023-24529 is a vulnerability in SAP NetWeaver AS ABAP Business Server Pages that allows for a Reflected Cross-Site Scripting (XSS) attack.
Which software versions are affected by CVE-2023-24529?
SAP NetWeaver AS ABAP Business Server Pages versions 7.00, 7.01, 7.02, 7.31, 7.40, 7.50, 7.51, 7.52, 75c, 75d, 75e, 75f, 75g, and 75h are affected by CVE-2023-24529.
What is the severity of CVE-2023-24529?
CVE-2023-24529 has a severity rating of 6.1 (medium).
How can an attacker exploit CVE-2023-24529?
An attacker can exploit CVE-2023-24529 by providing malicious inputs from untrusted sources, which can then be used to execute a Reflected Cross-Site Scripting (XSS) attack.
Where can I find more information about CVE-2023-24529?
You can find more information about CVE-2023-24529 in the SAP Note 3282663 and the SAP security advisory document.
- collector/nvd-index
- vendor/sap
- canonical/sap netweaver as abap business server pages
- version/sap netweaver as abap business server pages/7.00
- version/sap netweaver as abap business server pages/7.01
- version/sap netweaver as abap business server pages/7.02
- version/sap netweaver as abap business server pages/7.31
- version/sap netweaver as abap business server pages/7.40
- version/sap netweaver as abap business server pages/7.50
- version/sap netweaver as abap business server pages/7.51
- version/sap netweaver as abap business server pages/7.52
- version/sap netweaver as abap business server pages/75c
- version/sap netweaver as abap business server pages/75d
- version/sap netweaver as abap business server pages/75e
- version/sap netweaver as abap business server pages/75f
- version/sap netweaver as abap business server pages/75g
- version/sap netweaver as abap business server pages/75h