On 13.10.2020 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Commerce Cloud.
SAP Note 2917381 addresses "[CVE-2020-6272] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud" to prevent Cross-Site Scripting (XSS) with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Commerce Cloud does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious scripts into several web CMS components resulting in Cross-Site Scripting (XSS) vulnerability
SAP Commerce Cloud has been updated with proper HTML output encoding and HTML sanitization.
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.1 [CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
- 6.1 [CVE-2020-6205] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages (Smart Forms)