CVE-2024-30214

Vulnerability

Overview

The vulnerability resides in an unspecified SAP application (likely part of SAP NetWeaver or a related product) that fails to sanitize user-supplied GET parameters when constructing Service invocation URLs. A high-privilege attacker can append a malicious query parameter containing JavaScript code to a Service call. When the server processes the request, the injected parameter is reflected in the HTTP response without proper encoding or escaping [1].

Exploitation

Prerequisites

To exploit this issue, the attacker must have high privileges on the affected system. The attack vector is over a network, and user interaction is required (the victim must load the crafted response). No authentication is needed beyond the attacker's existing high privileges. The CVSS v3 score of 4.8 reflects the medium severity, with the requirement for both high privileges and user interaction reducing the base score [1].

Impact

If the injected parameter contains JavaScript, it can be processed on the client side, leading to reflected Cross-Site Scripting (XSS). An attacker could execute arbitrary scripts in the context of the victim's browser session, potentially leading to session hijacking, data theft, or further actions within the application. The scope is changed (attack can impact other components beyond the vulnerable service), as indicated by the CVSS vector [1].

Mitigation

SAP has released security corrections as part of their monthly Security Patch Day. Administrators are advised to apply the relevant SAP Security Note addressing CVE-2024-30214. No workarounds have been publicly documented. Given the high privilege required, the immediate risk is limited to internal trusted users or compromised accounts with elevated roles [1].