CVE-2023-27499: Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML
First published: Tue Apr 11 2023(Updated: )
SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP NetWeaver | =7.22ext | |
| SAP NetWeaver Application Server ABAP | =7.22 | |
| SAP NetWeaver Application Server ABAP | =7.53 | |
| SAP NetWeaver Application Server ABAP | =7.54 | |
| SAP NetWeaver Application Server ABAP | =7.77 | |
| SAP NetWeaver Application Server ABAP | =7.81 | |
| SAP NetWeaver Application Server ABAP | =7.85 | |
| SAP NetWeaver Application Server ABAP | =7.89 | |
| SAP NetWeaver Application Server ABAP | =7.91 | |
| SAP NetWeaver Application Server ABAP | =krnl64uc | |
| SAP NetWeaver Application Server ABAP | =krnl64uc_7.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-27499?
CVE-2023-27499 is a Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC 7.22, 7.22EXT, and KRNL64UC 7.22, 7.22EXT.
What is the severity of CVE-2023-27499?
The severity of CVE-2023-27499 is medium with a CVSS score of 6.1.
Which software versions are affected by CVE-2023-27499?
The affected software versions include SAP NetWeaver 7.22ext, SAP NetWeaver Application Server ABAP 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, SAP NetWeaver Application Server ABAP KRNL64UC, and SAP NetWeaver Application Server ABAP KRNL64UC 7.22, 7.22EXT.
How can an attacker exploit CVE-2023-27499?
An attacker can exploit CVE-2023-27499 by crafting a malicious URL and luring the victim to click on it, which would result in the execution of malicious scripts in the victim's browser.
Are there any references for CVE-2023-27499?
Yes, you can find more information about CVE-2023-27499 at the following references: [SAP Note 3275458](https://launchpad.support.sap.com/#/notes/3275458) and [SAP Security Note](https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/sap
- canonical/sap netweaver
- version/sap netweaver/7.22ext
- canonical/sap netweaver application server abap
- version/sap netweaver application server abap/7.22
- version/sap netweaver application server abap/7.53
- version/sap netweaver application server abap/7.54
- version/sap netweaver application server abap/7.77
- version/sap netweaver application server abap/7.81
- version/sap netweaver application server abap/7.85
- version/sap netweaver application server abap/7.89
- version/sap netweaver application server abap/7.91
- version/sap netweaver application server abap/krnl64uc
- version/sap netweaver application server abap/krnl64uc_7.22