A note with CVSS 6.5 for component EPM-BFC-TCL-ADM-SEC was released by SAP on 08.11.2022. The correction/advisory 3260708 was described with "[CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation" and affects the system type SAP Financial Consolidation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is Cross-Site Scripting (XSS) within SAP Financial Consolidation.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Financial Consolidation allows an authenticated attacker to inject malicious script when running a common query in the Web Administration Console. This allows the attacker to view or modify information that would otherwise be restricted.
The URL parameters are now properly encoded to prevent a successful XSS attack.
The advisory is valid for
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 8.1 [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.3 Cross-Site Request Forgery vulnerability in Enterprise Services Repository of SAP Process Integration