Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Critical XSS Vulnerability Identified in SAP NetWeaver AS Java

Date of Release: February 13, 2024

Advisory ID: CVE-2024-22126

Affected Software: SAP NetWeaver Application Server for Java (AS Java) User Admin Application

Versions Affected: J2EE ENGINE APPLICATIONS 7.50, specifically:

  • SP026000005
  • SP027000003
  • SP028000003
  • SP029000000

Vulnerability Summary: A critical Cross-Site Scripting (XSS) vulnerability, CVE-2024-22126, has been discovered in the User Admin application of SAP NetWeaver AS for Java. The vulnerability arises due to insufficient validation and improper encoding of incoming URL parameters before including them in the redirect URL. This flaw can lead to a significant compromise of confidentiality, with a lesser impact on integrity and availability.

CVSS Score: 8.8 (High)

CVSS Vector:

  • Attack Vector (AV): Network
  • Attack Complexity (AC): Low
  • Privileges Required (PR): None
  • User Interaction (UI): Required
  • Scope (S): Changed
  • Confidentiality Impact (C): High
  • Integrity Impact (I): Low
  • Availability Impact (A): Low

Symptom: Attackers can exploit this vulnerability by crafting malicious URL parameters that are reflected back to the user’s browser, leading to XSS attacks. This could result in unauthorized access to user sessions and personal data, posing a severe security risk.

Cause: The vulnerability is introduced after applying SAP Note 3251396, which inadequately validates and encodes URL parameters for redirects, allowing for the XSS vulnerability.

Solution: Users are urged to apply the corrective measures provided in the “Validity” and “Support Packages & Patches” sections of the SAP Security Note related to CVE-2024-22126. It is also recommended to review SAP Note 1974464 for information on SCA Dependency Analysis for Java download objects to avoid system incompatibilities.

Mitigation: Until patches can be applied, it is advised to monitor and possibly restrict incoming URL parameters to the User Admin application to mitigate the risk of exploitation.

References:

  • SAP Security Note [CVE-2024-22126]
  • SAP Note 3251396
  • SAP Note 1974464

 

The signature of this vulnerability has been added to the RedRays Security Platform

More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,

Protect Your SAP with RedRays Security Platform

Explore the Power of Our Scanner with an Interactive Prototype Below