A note with CVSS 4.8 for component EP-PIN-PRT was released by SAP on 14.09.2021. The correction/advisory 3082219 was described with "[CVE-2021-21489] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is Cross-Site Scripting (XSS) within Java.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP NetWeaver Portal does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability which would allow an authenticated attacker with high privileges to store malicious script on the system.
The URL parameters are now properly encoded to prevent a successful XSS attack.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- EP-BASIS 7.10-7.11 3
- EP-BASIS 7.20
- EP-BASIS 7.30 3
- EP-BASIS 7.31 3
- EP-BASIS 7.40 3
- EP-BASIS 7.50 3
- EP-RUNTIME 7.10-7.11 3
- EP-RUNTIME 7.20 3
- EP-RUNTIME 7.30 3
- EP-RUNTIME 7.31 4
- EP-RUNTIME 7.40 4
- EP-RUNTIME 7.50 3
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.1 [CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
- 6.1 [CVE-2020-6229] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME)