On 08.03.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Solution Manager & SAP Focused Run .
SAP Note 3147283 addresses "[CVE-2022-24399] Cross-Site Scripting (XSS) vulnerability in SAP Focused Run (Real User Monitoring)" to prevent Cross-Site Scripting (XSS) with a medium risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process , the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Focused RUN REST service does not sufficiently sanitize the input name of the file using multipart/form-data.
The application now properly checks user-provided input. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 8.1 [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad
- 6.5 [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application)
- 6.5 [CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation