SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2607126
was released on
09.11.2021 and deals with
"Cross-Site Request Forgery vulnerability in Enterprise Services Repository of SAP Process Integration" within Java.
We advice you to follow the instructions, to resolve
Cross-Site Scripting (XSS)
medium potential for exploitation
in component BC-XI-IBF.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as monthly patch process .
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationEnterprise Services Repository (ESR) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability which would allow an unauthenticated attacker to hijack session and non-repudiation.
The respective input/output encoding has been added preventing a successful reflected XSS attack.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- FRAMEWORK 7.31 6
- FRAMEWORK 7.40 6
- FRAMEWORK 7.50 6
- MESSAGING 7.31 4
- MESSAGING 7.40 4
- MESSAGING 7.50 4
- SAP_XIAF 7.31 5
- SAP_XIAF 7.40 5
- SAP_XIAF 7.50 5
- SAP_XIESR 7.31 5
- SAP_XIESR 7.40 5
- SAP_XIESR 7.50 5
- SAP_XIGUILIB 7.31 2
- SAP_XIGUILIB 7.40 2
- SAP_XIGUILIB 7.50 2
- SAP_XITOOL 7.31 6
- SAP_XITOOL 7.40 6
- SAP_XITOOL 7.50 6
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.1 [CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
- 6.1 [CVE-2020-6229] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME)