CVE-2023-27499

MEDIUM

SAP NetWeaver GUI for HTML - Reflected Cross-Site Scripting via Malicious URL

Title source: llm

Description

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.

References (2)

Core 2

Core References

Permissions Required

https://launchpad.support.sap.com/#/notes/3275458

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 6.1

EPSS 0.0046

EPSS Percentile 64.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (11)

sap/netweaver 7.22ext

sap/netweaver_application_server_abap 7.22

sap/netweaver_application_server_abap 7.53

sap/netweaver_application_server_abap 7.54

sap/netweaver_application_server_abap 7.77

sap/netweaver_application_server_abap 7.81

sap/netweaver_application_server_abap 7.85

sap/netweaver_application_server_abap 7.89

sap/netweaver_application_server_abap 7.91

sap/netweaver_application_server_abap krnl64uc

... and 1 more

Published Apr 11, 2023

Tracked Since Feb 18, 2026