A note with CVSS 6.1 for component EP-PIN-NAV was released by SAP on 08.03.2022. The correction/advisory 3146261 was described with "[CVE-2022-24395] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal" and affects the system type Java.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is Cross-Site Scripting (XSS) within Java.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP NetWeaver Enterprise Portal does not sufficiently encode user-controlled inputs resulting in a Cross-Site Scripting attack.
The application now properly checks user-provided input. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- EP-ADMIN 7.10-7.11 3
- EP-ADMIN 7.20 3
- EP-ADMIN 7.30 3
- EP-ADMIN 7.31 3
- EP-ADMIN 7.40 3
- EP-ADMIN 7.50 3
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.8 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 8.1 [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now