Description
SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user's session. The information from the victim's session could then be modified or read by the attacker.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- SAP_SE / SAP CRM WebClient UIS4FND 102 – S4FND 102
- SAP_SE / SAP CRM WebClient UIS4FND 103 – S4FND 103
- SAP_SE / SAP CRM WebClient UIS4FND 104 – S4FND 104
- SAP_SE / SAP CRM WebClient UIS4FND 105 – S4FND 105
- SAP_SE / SAP CRM WebClient UIS4FND 106 – S4FND 106
- SAP_SE / SAP CRM WebClient UIS4FND 107 – S4FND 107
- SAP_SE / SAP CRM WebClient UIWEBCUIF 700 – WEBCUIF 700
- SAP_SE / SAP CRM WebClient UIWEBCUIF 701 – WEBCUIF 701
- SAP_SE / SAP CRM WebClient UIWEBCUIF 731 – WEBCUIF 731
- SAP_SE / SAP CRM WebClient UIWEBCUIF 746 – WEBCUIF 746
- SAP_SE / SAP CRM WebClient UIWEBCUIF 747 – WEBCUIF 747
- SAP_SE / SAP CRM WebClient UIWEBCUIF 748 – WEBCUIF 748
- SAP_SE / SAP CRM WebClient UIWEBCUIF 800 – WEBCUIF 800
- SAP_SE / SAP CRM WebClient UIWEBCUIF 801 – WEBCUIF 801