A note with CVSS 4.8 for component BC-CTS-DTR was released by SAP on 13.10.2020. The correction/advisory 2939419 was described with "[CVE-2020-6370] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (DI Design Time Repository)" and affects the system type SAP NetWeaver Development Infrastructure (NWDI).
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is Cross-Site Scripting (XSS) within SAP NetWeaver Development Infrastructure (NWDI).
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP NetWeaver Design Time Repository (DTR) does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
The url parameters are now properly encoded to prevent a successful XSS attack.
The advisory is valid for
- DI_DTR 7.11
- DI_DTR 7.30
- DI_DTR 7.31
- DI_DTR 7.40
- DI_DTR 7.50
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.1 [CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
- 6.1 [CVE-2020-6205] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages (Smart Forms)