On 13.10.2020 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Enterprise Portal (Fiori Framework).
SAP Note 2960329 addresses "[CVE-2020-6323] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (Fiori Framework Page)" to prevent Cross-Site Scripting (XSS) with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationThe SAP NetWeaver Enterprise Portal (Fiori Framework Page) does not sufficiently encode user-controlled inputs, which leaves the possibility of Cross Site Scripting (XSS) attacks.
The correct content-type is now returned to prevent a successful XSS attack.
The advisory is valid for
- EP-FLP 7.50
- EP-RUNTIME 7.31
- EP-RUNTIME 7.40
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.1 [CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
- 6.1 [CVE-2020-6205] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages (Smart Forms)