On 14.01.2020 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Java.
SAP Note 2863743 addresses "[CVE-2020-6305] Cross-Site Scripting (XSS) vulnerability in Rest Adapter of SAP Process Integration" to prevent cross-site scripting (xss) with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationRest Adapter of SAP Process Integration does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
The user inputs are now encoded for the affected parts of the application to prevent a successful XSS attack.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 5.4 [CVE-2020-6303] Improper input validation in SAP Disclosure Management
- 5.4 [CVE-2019-0395] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad)
- 5.4 [CVE-2021-21447] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
- 5.4 [CVE-2021-21445] Header Manipulation vulnerability in SAP Commerce Cloud