SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2948317
was released on
11.08.2020 and deals with
"Vulnerabilities in open source libraries used in SAP Commerce" within SAP Commerce.
We advice you to follow the instructions, to resolve
Cross-Site Scripting (XSS)
medium potential for exploitation
in component CEC-COM-CPS.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as monthly patch process .
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Commerce uses vulnerable versions of the CKEditor and the jQuery library, resulting in a Cross-Site scripting and a prototype pollution vulnerability that allow an unauthenticated attacker to inject arbitrary web scripts.
The vulnerable libraries have been exchanged with fixed ones.
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.1 [CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
- 6.1 [CVE-2020-6205] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages (Smart Forms)