CVE-2023-27499

Name of the Vulnerable Software and Affected Versions SAP GUI for HTML versions 7.22 through 7.91, KRNL64UC, 7.22EXT

Description The issue arises from insufficient encoding of user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, allowing the script supplied by the attacker to execute in the victim user's browser. This could lead to the modification or reading of information from the victim's web browser, which could then be sent to the attacker.

Recommendations For SAP GUI for HTML versions 7.22 through 7.91, KRNL64UC, 7.22EXT, consider disabling the processing of user-controlled inputs until a patch is available. Restrict access to the SAP GUI for HTML to minimize the risk of exploitation. Avoid using the SAP GUI for HTML for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.