On 13.09.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Java.
SAP Note 3219164 addresses "[CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)" to prevent cross-site scripting (xss) with a medium risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs resulting in a Cross-Site Scripting attack.
The URL parameters are now properly encoded to prevent a successful XSS attack. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 8.3 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.3 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.0 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce
- 6.9 [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
- 6.5 [CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now