A note with CVSS 6.5 for component KM-SEN-MGR was released by SAP on 11.10.2022. The correction/advisory 3049899 was described with "[CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now" and affects the system type SAP Enable Now.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is cross-site scripting (xss) within SAP Enable Now.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Enable Now does not sufficiently encode URL parameters allowing an unauthenticated attacker to view or modify information resulting in a Cross-Site Scripting attack.
The URL parameters are now properly encoded to prevent a successful XSS attack. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
SAP Enable Now provides the knowledge your employees need to succeed exactly where and when it’s needed. The product exists for on-premise and cloud applications. A security guide is provided for each facet of the SAP Enable Now product.
The advisory is valid for
- 8.7 [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
- 8.3 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.3 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.2 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
- 8.0 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce