SAP NetWeaver Application Server Java Code Injection Vulnerability Allowing Session Compromise

A code injection vulnerability has been identified in SAP NetWeaver Application Server Java, specifically within Web Dynpro Java. This vulnerability allows an unauthenticated attacker to send crafted input that the application interprets, potentially referencing attacker-controlled content. If a victim interacts with the affected functionality, the injected content could be executed in the victim's browser, leading to a session compromise. This exploitation could enable the attacker to execute arbitrary client-side code, thereby affecting the application's confidentiality and integrity, although there would be no impact on availability.

Impact

Exploitation of this vulnerability could result in unauthorized execution of client-side code in the context of the victim's browser, potentially compromising the victim's session and allowing access to sensitive information or functionality within the application.

Remediation

Users are advised to consult the SAP Security Notes for guidance on applying necessary patches. Security fixes for SAP NetWeaver products are typically included in support packages. For information on the latest SAP Security Patch Day, refer to the SAP Security Patch Day Bulletin.