CVE-2024-37173
MEDIUMSAP CRM WebClient UI - Unauthenticated Stored Cross-Site Scripting via Crafted URL
Title source: llmDescription
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3467377
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
6.1
EPSS
0.0042
EPSS Percentile
62.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (14)
sap/customer_relationship_management_s4fnd
102
sap/customer_relationship_management_s4fnd
103
sap/customer_relationship_management_s4fnd
104
sap/customer_relationship_management_s4fnd
105
sap/customer_relationship_management_s4fnd
106
sap/customer_relationship_management_s4fnd
107
sap/customer_relationship_management_s4fnd
108
sap/customer_relationship_management_webclient_ui
701
sap/customer_relationship_management_webclient_ui
731
sap/customer_relationship_management_webclient_ui
746
... and 4 more
Published
Jul 09, 2024
Tracked Since
Feb 18, 2026