CVE-2024-37174
MEDIUMSAP Customer Relationship Management WebClient UI - Cross-Site Scripting via Custom CSS Support
Title source: llmDescription
Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3467377
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
6.1
EPSS
0.0059
EPSS Percentile
69.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (14)
sap/customer_relationship_management_s4fnd
102
sap/customer_relationship_management_s4fnd
103
sap/customer_relationship_management_s4fnd
104
sap/customer_relationship_management_s4fnd
105
sap/customer_relationship_management_s4fnd
106
sap/customer_relationship_management_s4fnd
107
sap/customer_relationship_management_s4fnd
108
sap/customer_relationship_management_webclient_ui
701
sap/customer_relationship_management_webclient_ui
731
sap/customer_relationship_management_webclient_ui
746
... and 4 more
Published
Jul 09, 2024
Tracked Since
Feb 18, 2026