Main Vulnerability Database Vulnerabilities #VU95817

#VU95817 XML injection in BEx Web Java Runtime Export Web Service - CVE-2024-42374

Published: August 13, 2024

Vulnerability identifier: #VU95817

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-42374

CWE-ID: CWE-91

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
BEx Web Java Runtime Export Web Service

Software vendor:
SAP

Description

The vulnerability allows a remote attacker to gain access to sensitive information or perform a denial of service attack.

The vulnerability exists due to improper input validation when processing XML files. A remote unauthenticated attacker can pass a specially crafted XML file to the application and gain access to sensitive information from the SAP ADS system or exhaust the number of XMLForm service, rendering the SAP ADS (PDF creation) unavailable.

Remediation

Install updates from vendor's website.

External links

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html

#VU95817 XML injection in BEx Web Java Runtime Export Web Service - CVE-2024-42374

Description

Remediation

External links

Please verify you're human