On 12.07.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Java.
SAP Note 3208819 addresses "[CVE-2022-35170] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal" to prevent cross-site scripting (xss) with a medium risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP NetWeaver Enterprise Portal does not sufficiently encode user-controlled inputs over the network, allowing an unauthenticated attacker to view or modify information resulting in a Cross-Site Scripting attack.
The URL parameters are now properly encoded to prevent a successful XSS attack. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- EP-RUNTIME 7.10-7.11 6
- EP-RUNTIME 7.20 6
- EP-RUNTIME 7.30 7
- EP-RUNTIME 7.31 8
- EP-RUNTIME 7.40 8
- EP-RUNTIME 7.50 7
- 8.3 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.3 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 6.9 [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
- 6.4 [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution
- 6.4 [CVE-2021-27600 ] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution (System Rules)