Description
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server cannot be impacted.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/3024414
Scores
CVSS v3
5.4
EPSS
0.0022
EPSS Percentile
44.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
sap/manufacturing_execution
15.1
sap/manufacturing_execution
15.2
sap/manufacturing_execution
15.3
sap/manufacturing_execution
15.4
Published
Apr 13, 2021
Tracked Since
Feb 18, 2026