CVE-2024-22128

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-22128
SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://me.sap.com/notes/3396109 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
https://me.sap.com/notes/3396109 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_700:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_701:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_702:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_731:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_754:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_755:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_756:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_757:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_758:*:*:*:*:*:*:*
History

25 Feb 2026, 10:16

Type Values Removed Values Added
Summary (en) SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation. (en) SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.

21 Nov 2024, 08:55

Type Values Removed Values Added
References () https://me.sap.com/notes/3396109 - Permissions Required () https://me.sap.com/notes/3396109 - Permissions Required
References () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
CVSS v2 : unknown
v3 : 6.1 		v2 : unknown
v3 : 4.7

16 Oct 2024, 21:30

Type Values Removed Values Added
First Time Sap netweaver Business Client For Html
Sap
CVSS v2 : unknown
v3 : 4.7 		v2 : unknown
v3 : 6.1
CPE cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_701:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_758:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_731:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_757:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_755:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_700:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_basis_702:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_754:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_business_client_for_html:sap_ui_756:*:*:*:*:*:*:*
References () https://me.sap.com/notes/3396109 - () https://me.sap.com/notes/3396109 - Permissions Required
References () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

13 Feb 2024, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-13 02:15

Updated : 2026-02-25 10:16

NVD link : CVE-2024-22128

Mitre link : CVE-2024-22128

CVE.ORG link : CVE-2024-22128

JSON object : View

Products Affected

sap

  • netweaver_business_client_for_html
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')