Login Sign Up

CVE-2024-47594

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal's KMC servlet where user inputs aren't properly encoded. Attackers can craft malicious links containing scripts that, when clicked by authenticated portal users, could compromise their browser sessions. This affects organizations running vulnerable versions of SAP NetWeaver Enterprise Portal.

💻 Affected Systems

Products:
  • SAP NetWeaver Enterprise Portal
Versions: Specific versions not provided in CVE description; check SAP Note 3503462 for details
Operating Systems: All platforms running SAP NetWeaver
Default Config Vulnerable: ⚠️ Yes
Notes: Requires KMC servlet to be enabled and accessible; users must be authenticated to the portal for successful exploitation

📦 What is this software?

Netweaver Enterprise Portal by Sap

View all CVEs affecting Netweaver Enterprise Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, hijack authenticated sessions, perform actions as the victim, and potentially access sensitive portal data.

🟠

Likely Case

Attackers would typically steal session cookies to impersonate users, potentially accessing their portal permissions and data.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail to execute malicious scripts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick authenticated users into clicking malicious links; no authentication bypass needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check SAP Note 3503462 for specific patch versions

Vendor Advisory: https://me.sap.com/notes/3503462

Restart Required: Yes

Instructions:

1. Review SAP Note 3503462 for your specific SAP NetWeaver version
2. Apply the relevant SAP Security Patch Day updates
3. Restart the affected SAP systems
4. Verify the fix by testing the KMC servlet endpoints

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or input validation to sanitize KMC servlet parameters

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources

🧯 If You Can't Patch

  • Implement web application firewall with XSS protection rules
  • Educate users about phishing risks and suspicious links

🔍 How to Verify

Check if Vulnerable:

Test KMC servlet endpoints with XSS payloads; check if scripts execute in victim context

Check Version:

Check SAP system version via transaction SM51 or system info

Verify Fix Applied:

After patching, retest with XSS payloads to confirm scripts no longer execute

📡 Detection & Monitoring

Log Indicators:

  • Unusual parameter values in KMC servlet requests
  • Multiple failed XSS attempts

Network Indicators:

  • Requests to KMC endpoints with script tags or JavaScript in parameters

SIEM Query:

web_requests WHERE url CONTAINS 'kmc' AND (params CONTAINS '<script' OR params CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2024-47594
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: October 8, 2024
Last Updated: November 14, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47594, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)