CVE-2024-37174: [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)
First published: Tue Jul 09 2024(Updated: )
Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP Customer Relationship Management | =102 | |
| SAP Customer Relationship Management | =103 | |
| SAP Customer Relationship Management | =104 | |
| SAP Customer Relationship Management | =105 | |
| SAP Customer Relationship Management | =106 | |
| SAP Customer Relationship Management | =107 | |
| SAP Customer Relationship Management | =108 | |
| SAP CRM - WebClient UI | =701 | |
| SAP CRM - WebClient UI | =731 | |
| SAP CRM - WebClient UI | =746 | |
| SAP CRM - WebClient UI | =747 | |
| SAP CRM - WebClient UI | =748 | |
| SAP CRM - WebClient UI | =800 | |
| SAP CRM - WebClient UI | =801 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-37174?
CVE-2024-37174 is classified as a Cross-Site Scripting (XSS) vulnerability with a potential for limited impact on confidentiality and integrity.
How do I fix CVE-2024-37174?
To remediate CVE-2024-37174, ensure that user-controlled inputs in the Custom CSS support option are properly encoded to prevent XSS.
Which SAP products are affected by CVE-2024-37174?
CVE-2024-37174 affects multiple versions of SAP Customer Relationship Management, specifically versions 102 through 108, and SAP Customer Relationship Management WebClient UI versions 701, 731, 746, 747, 748, 800, and 801.
Can CVE-2024-37174 be exploited remotely?
Yes, CVE-2024-37174 can potentially be exploited remotely if an attacker can inject malicious scripts into user-controlled inputs.
What can an attacker do if they exploit CVE-2024-37174?
Upon successful exploitation of CVE-2024-37174, an attacker may affect the application’s confidentiality and integrity by executing arbitrary scripts within the user’s browser.
- agent/weakness
- agent/title
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/severity
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/sap
- canonical/sap customer relationship management
- version/sap customer relationship management/102
- version/sap customer relationship management/103
- version/sap customer relationship management/104
- version/sap customer relationship management/105
- version/sap customer relationship management/106
- version/sap customer relationship management/107
- version/sap customer relationship management/108
- canonical/sap crm - webclient ui
- version/sap crm - webclient ui/701
- version/sap crm - webclient ui/731
- version/sap crm - webclient ui/746
- version/sap crm - webclient ui/747
- version/sap crm - webclient ui/748
- version/sap crm - webclient ui/800
- version/sap crm - webclient ui/801