CVE-2024-34686
MEDIUMSAP Customer Relationship Management WebClient UI - Unauthenticated Stored Cross-Site Scripting via Crafted URL
Title source: llmDescription
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3465129
Patch, Vendor Advisory
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
Scores
CVSS v3
6.1
EPSS
0.0063
EPSS Percentile
70.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (15)
sap/customer_relationship_management_webclient_ui
103
sap/customer_relationship_management_webclient_ui
104
sap/customer_relationship_management_webclient_ui
105
sap/customer_relationship_management_webclient_ui
106
sap/customer_relationship_management_webclient_ui
107
sap/customer_relationship_management_webclient_ui
701
sap/customer_relationship_management_webclient_ui
730
sap/customer_relationship_management_webclient_ui
731
sap/customer_relationship_management_webclient_ui
746
sap/customer_relationship_management_webclient_ui
747
... and 5 more
Published
Jun 11, 2024
Tracked Since
Feb 18, 2026