cve/2024/CVE-2024-37171.md

### [CVE-2024-37171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37171)
![](https://img.shields.io/static/v1?label=Product&message=SAP%20Transportation%20Management%20(Collaboration%20Portal)&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=SAPTMUI%20140%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=SAPTMUI%20150%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=SAPTMUI%20160%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=SAPTMUI%20170%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-918%3A%20Server-Side%20Request%20Forgery&color=brightgreen)

### Description

SAP Transportation Management (CollaborationPortal) allows an attacker with non-administrative privileges to send a craftedrequest from a vulnerable web application. This will trigger the applicationhandler to send a request to an unintended service, which may revealinformation about that service. The information obtained could be used totarget internal systems behind firewalls that are normally inaccessible to anattacker from the external network, resulting in a Server-Side Request Forgeryvulnerability. There is no effect on integrity or availability of theapplication.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds