CVE-2024-37174 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2024-37174?

CVE-2024-37174 has a CVSS score of 6.1 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in SAP CRM WebClient UI's custom CSS support option. Attackers can inject malicious scripts through user-controlled inputs, potentially compromising user sessions and data integrity. Organizations using affected SAP CRM versions are vulnerable.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in SAP CRM WebClient UI's custom CSS support option. Attackers can inject malicious scripts through user-controlled inputs, potentially compromising user sessions and data integrity. Organizations using affected SAP CRM versions are vulnerable.

💻 Affected Systems

Products:

SAP CRM WebClient UI

Versions: Specific versions not detailed in CVE; check SAP Note 3467377 for exact affected versions

Operating Systems: All platforms running SAP CRM

Default Config Vulnerable: ⚠️ Yes

Notes: Requires custom CSS support to be enabled and accessible to users with input privileges.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals authenticated user sessions, performs actions as legitimate users, and exfiltrates sensitive CRM data.

🟠

Likely Case

Attacker injects malicious scripts to steal session cookies or redirect users to phishing sites, compromising individual user accounts.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability is prevented, maintaining normal application functionality.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction or access to input fields, but XSS techniques are well-documented and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3467377

Vendor Advisory: https://me.sap.com/notes/3467377

Restart Required: Yes

Instructions:

1. Download SAP Note 3467377 from SAP Support Portal.
2. Apply the security patch to affected SAP CRM systems.
3. Restart the application server to activate changes.
4. Verify the fix by testing custom CSS inputs.

🔧 Temporary Workarounds

Disable Custom CSS Support

all

Temporarily disable the vulnerable custom CSS feature to prevent exploitation.

Navigate to SAP CRM WebClient UI configuration and disable custom CSS support option.

Implement Input Validation

all

Add server-side validation to sanitize CSS inputs before processing.

Implement input validation rules to reject or sanitize malicious script tags in CSS inputs.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in CSS inputs.
Restrict access to custom CSS features to trusted users only.

🔍 How to Verify

Check if Vulnerable:

Test by injecting a simple XSS payload (e.g., <script>alert('test')</script>) into custom CSS input fields and check if it executes.

Check Version:

Check SAP system version via transaction code SM51 or consult SAP Note 3467377 for patch verification.

Verify Fix Applied:

After patching, repeat the XSS test; the payload should be encoded or blocked, not executed.

📡 Detection & Monitoring

Log Indicators:

Unusual or malicious script patterns in custom CSS input logs.
Multiple failed login attempts following CSS input changes.

Network Indicators:

HTTP requests containing script tags in CSS parameters.
Outbound connections to suspicious domains from CRM sessions.

SIEM Query:

source="sap_crm_logs" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-37174

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

https://me.sap.com/notes/3467377 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory
https://me.sap.com/notes/3467377 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37174, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Customer Relationship Management S4fnd by Sap

Customer Relationship Management S4fnd by Sap

Customer Relationship Management S4fnd by Sap

Customer Relationship Management S4fnd by Sap

Customer Relationship Management S4fnd by Sap

Customer Relationship Management S4fnd by Sap

Customer Relationship Management S4fnd by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

Customer Relationship Management Webclient Ui by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Custom CSS Support

Implement Input Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities