CVE-2024-47590

Name of the Vulnerable Software and Affected Versions: SAP Web Dispatcher versions prior to the November 2024 Patch Day

Description: An unauthenticated attacker can create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF) gives the attacker the ability to execute arbitrary code on the server fully compromising confidentiality, integrity and availability. The vulnerability is actively exploited in the wild.

Recommendations: As a temporary workaround, consider disabling the web site page generation feature until a patch is available. Apply the November 2024 Patch Day updates to SAP Web Dispatcher to resolve the issue. Restrict access to the SAP Web Dispatcher until the patch is applied to minimize the risk of exploitation.