CVE-2024-45280

Vulnerability

Description

CVE-2024-45280 is a stored cross-site scripting vulnerability affecting SAP NetWeaver AS Java. The root cause is insufficient encoding of user-controlled inputs within the login application, which allows attackers to inject arbitrary script code [1]. This is classified as a medium-severity issue with a CVSS v3 score of 4.8.

Exploitation

Context

To exploit this vulnerability, an attacker must be able to submit crafted input that is subsequently stored and rendered in the login application without proper sanitization. The attack does not require authentication from the attacker's perspective, but relies on a victim user (such as an administrator) accessing the maliciously crafted content [1]. The network attack vector is likely remote, as the login application is typically exposed on the network.

Impact

Assessment

Successful exploitation allows the attacker to execute malicious scripts in the context of the affected user's session. This leads to a limited compromise of confidentiality (e.g., disclosure of session tokens or other sensitive data visible to the script) and integrity (e.g., modification of the displayed content or the ability to perform actions on behalf of the victim). Availability of the application is not impacted [1].

Remediation

Status

SAP has released a security patch for this vulnerability, which is available via the SAP Security Notes process. Administrators are strongly advised to apply the provided correction as part of regular patch day maintenance [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.