#VU75168 Cross-site scripting in SAP products - CVE-2023-27499
Published: April 17, 2023
Vulnerability identifier: #VU75168
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2023-27499
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
SAP GUI for HTML KERNEL
SAP GUI for HTML KRNL32UC
SAP GUI for HTML KRNL64UC
SAP GUI for HTML KERNEL
SAP GUI for HTML KRNL32UC
SAP GUI for HTML KRNL64UC
Software vendor:
SAP
SAP
Description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install updates from vendor's website.