A note with CVSS 6.1 for component EP-PIN-GPA was released by SAP on 12.07.2022. The correction/advisory 3210779 was described with "[CVE-2022-35224] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal" and affects the system type Java.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is cross-site scripting (xss) within Java.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP NetWeaver Enterprise Portal does not sufficiently encode user-controlled inputs resulting in a Cross-Site Scripting attack.
The URL parameters are now properly encoded to prevent a successful XSS attack. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- EP-RUNTIME 7.10-7.11 6
- EP-RUNTIME 7.20 6
- EP-RUNTIME 7.30 7
- EP-RUNTIME 7.31 8
- EP-RUNTIME 7.40 8
- EP-RUNTIME 7.50 7
- 8.3 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.3 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 6.9 [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
- 6.5 [CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.4 [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution