On 11.01.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Enterprise Threat Detection.
SAP Note 3124597 addresses "[CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection" to prevent Cross-Site Scripting (XSS) with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Enterprise Threat Detection (ETD) does not sufficiently encode user-controlled inputs which may lead to an unauthorized attacker possibly to exploit an XSS vulnerability.
The XSS vulnerability has been fixed by the output encoding of the user-controlled inputs.
The advisory is valid for
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.8 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 8.1 [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now