CVE-2022-35291 Vulnerability Details

  /     /     /  

CVE-2022-35291 Metadata Quick Info

CVE Published: 27/07/2022 | CVE Updated: 03/08/2024 | CVE Year: 2022
Source: sap | Vendor: SAP SuccessFactors | Product: SAP SuccessFactors Mobile Application for Android & iOS devices
Status : PUBLISHED

---

CVE-2022-35291 Description

Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application

Metrics

CVSS Version: 3.1 | Base Score: 8.1 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-269
CWE Name: CWE-269 Improper Privilege Management
Source: SAP SuccessFactors

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).