CVE-2024-22130
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in SAP CRM WebClient UI's print preview feature. Attackers with low-privilege access can inject malicious scripts to compromise data confidentiality and integrity. Affected systems include multiple SAP S4FND and WEBCUIF versions.
💻 Affected Systems
- SAP CRM WebClient UI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, or exfiltrate sensitive business data from the SAP system.
Likely Case
Attackers with basic user access could inject scripts to steal session data or manipulate interface elements, potentially escalating privileges.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, limiting impact to minor interface disruptions.
🎯 Exploit Status
XSS exploitation typically requires minimal technical skill once vulnerability is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Note 3410875
Vendor Advisory: https://me.sap.com/notes/3410875
Restart Required: Yes
Instructions:
1. Download SAP Note 3410875 from SAP Support Portal
2. Apply the correction instructions provided in the note
3. Restart affected SAP services
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation for print preview parameters
Implement ABAP code to validate and sanitize user inputs in print preview functionality
Content Security Policy
allImplement CSP headers to restrict script execution
Add Content-Security-Policy headers to SAP web server configuration
🧯 If You Can't Patch
- Restrict access to print preview functionality to trusted users only
- Implement web application firewall rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Test print preview functionality with XSS payloads like <script>alert('test')</script>Check Version:
Transaction SPAM in SAP GUI to check applied notes, or check system version in SAP logonVerify Fix Applied:
Verify SAP Note 3410875 is applied and test with same XSS payloads to confirm they are properly encoded📡 Detection & Monitoring
Log Indicators:
- Unusual print preview requests with script tags
- Multiple failed authentication attempts followed by print preview access
Network Indicators:
- HTTP requests containing script tags in print preview parameters
- Unusual outbound connections following print preview access
SIEM Query:
source="sap_audit_log" AND (event="print_preview" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:"))