CVE-2022-35294: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

A stored Cross-Site-Scripting vulnerability (CVE-2022-35294) was identified in SAP NetWeaver Application Server ABAP. The vulnerability was disclosed on September 13, 2022, affecting multiple versions of the software including versions 7.22EXT through 7.89. This security issue allows an attacker with basic business user privileges to upload malicious files that, when downloaded and viewed by other users, can execute a stored XSS attack (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium severity). The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring Low privileges (PR:L) and User interaction (UI:R). The scope is Changed (S:C), with Low impact on both Confidentiality (C:L) and Integrity (I:L), and No impact on Availability (A:N) (AttackerKB).

When successfully exploited, this vulnerability can lead to information disclosure, including the potential theft of authentication information. The attacker could subsequently impersonate the affected user, potentially compromising sensitive data and user accounts (NVD).

SAP has released security patches to address this vulnerability. Users should refer to SAP Security Note 3218177 for detailed mitigation instructions (SAP Note).