CVE-2024-22126

MEDIUM

SAP NetWeaver AS for Java <7.50 - XSS

Title source: llm

Description

The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.

References (3)

Core 3

Core References

Permissions Required

https://me.sap.com/notes/3417627

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://me.sap.com/notes/3557138

Scores

CVSS v3 6.1

EPSS 0.0036

EPSS Percentile 58.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

sap/netweaver_application_server_java 7.50

Published Feb 13, 2024

Tracked Since Feb 18, 2026