Vulnerability Name: CVE-2022-35170 (CCN-231003) Assigned: 2022-07-12 Published: 2022-07-12 Updated: 2022-07-20 Summary: SAP NetWeaver Enterprise Portal does - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. This leads to limited impact on confidentiality and integrity of data. CVSS v3 Severity: 6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Cross-Site Scripting References: Source: MITRECVE-2022-35170 SAP Security Patch Day - July 2022 sap-cve202235170-xss(231003) SAP Support Note 3208819 https://launchpad.support.sap.com/#/notes/3208819 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vulnerable Configuration: Configuration 1 :cpe:/a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.11:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.20:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.30:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.40:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.50:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.10:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:sap:netweaver_enterprise_portal:7.11:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.20:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.30:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.40:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.50:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_enterprise_portal:7.10:*:*:*:*:*:*:* BACK
sap netweaver enterprise portal 7.31
sap netweaver enterprise portal 7.11
sap netweaver enterprise portal 7.20
sap netweaver enterprise portal 7.30
sap netweaver enterprise portal 7.40
sap netweaver enterprise portal 7.50
sap netweaver enterprise portal 7.10
sap netweaver enterprise portal 7.11
sap netweaver enterprise portal 7.20
sap netweaver enterprise portal 7.30
sap netweaver enterprise portal 7.31
sap netweaver enterprise portal 7.40
sap netweaver enterprise portal 7.50
sap netweaver enterprise portal 7.10
Denotes that component is vulnerable