On 14.06.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within UI5.
SAP Note 3190675 addresses "Unsafe use of target blank in SAP Marketing Campaigns" to prevent cross-site scripting (xss) with a low risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process, the team suggests.
Risk specificationSAP Marketing Campaigns do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
SAP Marketing Campaigns App now ensures proper content encoding to prevent XSS attacks. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
The advisory is valid for
- 8.3 [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM)
- 6.1 [CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository)
- 5.4 [CVE-2022-29610] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP
- 4.7 [CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver
- 3.7 Cross-Site Scripting (XSS) vulnerability in SAP Marketing Campaigns App