CVE-2024-34686

Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.

CVSS v3.0 6.1 MEDIUM

6.1^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3465129	Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:730:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:s4fnd_102:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:webcuif_700:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:103:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:104:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:105:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:106:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:107:::::::*

History

16 Aug 2024, 17:54

Type	Values Removed	Values Added
CPE		cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:webcuif_700:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:730:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:107:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:103:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:105:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:104:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:106:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:s4fnd_102:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:::::::*
First Time		Sap Sap customer Relationship Management Webclient Ui
References	~~() https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html -~~	() https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html - Patch, Vendor Advisory
References	~~() https://me.sap.com/notes/3465129 -~~	() https://me.sap.com/notes/3465129 - Permissions Required
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1

11 Jun 2024, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-11 03:15

Updated : 2024-08-16 17:54

NVD link : CVE-2024-34686

Mitre link : CVE-2024-34686

JSON object : View

Products Affected

sap

customer_relationship_management_webclient_ui

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10