CVE-2020-6283
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP SE | SAP Fiori(Launchpad) | < 750 | affected |
| SAP SE | SAP Fiori(Launchpad) | < 752 | affected |
| SAP SE | SAP Fiori(Launchpad) | < 753 | affected |
| SAP SE | SAP Fiori(Launchpad) | < 754 | affected |
| SAP SE | SAP Fiori(Launchpad) | < 755 | affected |
Weaknesses
- Cross Site Scripting
ADP Enrichment
CVE Program Container
Additional References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700
- https://launchpad.support.sap.com/#/notes/2865229
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700
- https://launchpad.support.sap.com/#/notes/2865229
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.