According to Cisco advisory, Quote Requests Tab allows creating comments on quotes and could be exploited to inject malicious code. The exploitation of this vulnerability may lead to a cross site scripting attack. Cisco has assigned this VDB to the Sanitization Management System. The setup of this component is performed in the SAP system. Cisco has recommended the system users to update the vulnerable components as soon as possible. Additionally, Cisco has published the required updates for Sanitization Management System on Cisco community website.

Vulnerable Components

The vulnerability is located in the Quote Request Tab, which is considered as a part of the Sanitization Management System. This particular component allows users to create comments on quotes. These comments are then displayed on the quote page. There is a possibility of injecting malicious code in these comments and hence, gaining control over the system.

There are two components that Cisco has assigned this vulnerability to:
-  Any comment that uses any of the following content languages:
- HTML (Tags)
- JavaScript (Tags)
- CSS (Tags)
This particular vulnerability resides within the CSS (tags).

Cisco has Published Vulnerable Software Updates

Cisco has published the vulnerable software updates on Cisco community website. The following updates are required: Release 12.2(55)SE, Release 15.0(1)M3, Policy Enforcement Manager (PEM), and Security Analytics (SAM).
The VDB is CVE-2022-3519 and has been assigned to SAP Sanitization Management System.

Vulnerable Software & Updates

Vendor:
Cisco
Vulnerability Type:
Cross Site Scripting (XSS)
Products:
Sanitization Management System (SMS)
Problem Fixed:
CVE-2022-3519 – Quote Request Tab allows creating comments on quotes and could be exploited to inject malicious code. The exploitation of this vulnerability may lead to a cross site scripting attack. Cisco has assigned this VDB to the Sanitization Management System. The setup of this component is performed in the SAP system. Cisco has recommended the system users to update the vulnerable components as soon as possible. Additionally, Cisco has published the required updates for Sanitization Management System on Cisco community website.

Cisco Source Code Review

Cisco has released a security notice that recommends the system users to update the vulnerable components as soon as possible. Cisco has published the required updates for Sanitization Management System on Cisco community website.
The setup of this component is performed in the SAP system, so it is recommended that you contact your SAP representative for any upgrade requirements.
This vulnerability could be exploited by malicious code to execute arbitrary commands within the web interface of your system.

Timeline

Published on: 10/15/2022 10:15:00 UTC
Last modified on: 10/20/2022 14:07:00 UTC

References