CVE-2022-27656

The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Published: May 11, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-27656
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
sap / netweaver_as_abap_krnl64uc	8.04	8.04.x
sap / netweaver_as_abap_krnl64uc	7.22ext	7.22ext.x
sap / netweaver_as_abap_krnl64uc	7.49	7.49.x
sap / netweaver_as_abap_krnl64uc	7.53	7.53.x
sap / netweaver_as_abap_krnl64uc	7.22	7.22.x
sap / netweaver_as_abap_kernel	7.22	7.22.x
sap / netweaver_as_abap_kernel	8.04	8.04.x
sap / netweaver_as_abap_kernel	7.49	7.49.x
sap / netweaver_as_abap_kernel	7.53	7.53.x
sap / netweaver_as_abap_kernel	7.77	7.77.x
sap / netweaver_as_abap_kernel	7.81	7.81.x
sap / netweaver_as_abap_kernel	7.85	7.85.x
sap / netweaver_as_abap_kernel	7.86	7.86.x
sap / netweaver_as_abap_kernel	7.87	7.87.x
sap / webdispatcher	7.49	7.49.x
sap / webdispatcher	7.53	7.53.x
sap / webdispatcher	7.77	7.77.x
sap / webdispatcher	7.81	7.81.x
sap / webdispatcher	7.83	7.83.x
sap / webdispatcher	7.85	7.85.x
sap / webdispatcher	7.22ext	7.22ext.x

Vulnerability Database

289,871

CVE-2022-27656