CVE-2024-34686

Q: What is the severity of CVE-2024-34686?

CVE-2024-34686 has a CVSS score of 6.1 (MEDIUM). This is a cross-site scripting (XSS) vulnerability in SAP CRM WebClient UI that allows unauthenticated attackers to craft malicious URLs containing scripts. When victims click these links, the scripts execute in their browsers, potentially allowing attackers to access or modify information. All users of affected SAP CRM WebClient UI versions are vulnerable.

6.1 MEDIUM

Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in SAP CRM WebClient UI that allows unauthenticated attackers to craft malicious URLs containing scripts. When victims click these links, the scripts execute in their browsers, potentially allowing attackers to access or modify information. All users of affected SAP CRM WebClient UI versions are vulnerable.

💻 Affected Systems

Products:

SAP CRM WebClient UI

Versions: Specific versions not detailed in CVE; refer to SAP Note 3465129 for affected versions

Operating Systems: All platforms running SAP CRM WebClient UI

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the WebClient UI component; requires SAP CRM deployment with WebClient UI enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or capture sensitive data entered in the CRM interface.

🟠

Likely Case

Attackers would typically use this for session hijacking, credential theft, or phishing attacks against CRM users.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be neutralized before execution.

🌐 Internet-Facing: HIGH - Since exploitation requires only a crafted URL, internet-facing instances are particularly vulnerable to drive-by attacks.

🏢 Internal Only: MEDIUM - Internal users could still be targeted via phishing emails or malicious links within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only crafting a malicious URL and social engineering victims to click it; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3465129

Vendor Advisory: https://me.sap.com/notes/3465129

Restart Required: Yes

Instructions:

1. Download SAP Note 3465129 from SAP Support Portal. 2. Apply the note to affected SAP CRM systems. 3. Restart the application server. 4. Test the fix in a development environment first.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for URL parameters in WebClient UI

Custom ABAP code required; implement input validation in relevant WebClient UI handlers

Content Security Policy

all

Implement CSP headers to restrict script execution

Configure SAP Web Dispatcher or application server to add CSP headers

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious URLs containing script patterns
Educate users about phishing risks and safe browsing practices for CRM access

🔍 How to Verify

Check if Vulnerable:

Check if SAP Security Note 3465129 is applied in transaction SNOTE

Check Version:

Transaction SM51 to check application server details; or check note implementation in SNOTE

Verify Fix Applied:

Test with crafted URLs containing script payloads; they should be properly sanitized or blocked

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns with script tags in WebClient UI access logs
Multiple failed script execution attempts

Network Indicators:

HTTP requests with suspicious parameters containing script elements to CRM endpoints

SIEM Query:

web.url CONTAINS "<script>" AND destination_ip IN (crm_server_ips)

📊 Metadata

CVE ID: CVE-2024-34686

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 11, 2024

Last Updated: November 21, 2024

🔗 References

https://me.sap.com/notes/3465129 Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html Patch,Vendor Advisory
https://me.sap.com/notes/3465129 Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities