CVE-2024-47590

EUVD-2024-42535

12.11.2024, 01:15

An unauthenticated attacker can create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF) gives the attacker the ability to execute arbitrary code on the server fully compromising confidentiality, integrity and availability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
CISA-ADP	ADP	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 72%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
sap	web_dispatcher	7.89	ADP
sap	web_dispatcher	7.93	ADP
sap	web_dispatcher	9.12	ADP
sap	web_dispatcher	9.13	ADP

Common Weakness Enumeration

CWE-791 - Incomplete Filtering of Special Elements
The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

References

https://me.sap.com/notes/3520281

https://url.sap/sapsecuritypatchday