CVE-2020-6205Cross-site Scripting in SE SAP Netweaver Application Server Abap SAP Basis

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 33.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver Application Server Abap SAP BasisSAP Netweaver AS Abap Business Server Pages
Timeline
PublishedMar 10
Latest updateMay 24

Description

SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content and/or steal authentication information of the user and/or impersonate the user and access all information with the same rights as the target user, leading to Reflected Cross Site Scripting Vulnerabi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDsap/netweaver_as_abap_business13 versions+12

🔴Vulnerability Details

2
GHSA
GHSA-xj38-pj67-738p: SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 72022-05-24
CVEList
CVE-2020-6205: SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 72020-03-10

💥Exploits & PoCs

1
Nuclei
DELMIA Apriso - Broken Access Control

💬Community

1
Bugzilla
CVE-2020-25219 libproxy: uncontrolled recursion via an infinite stream response leading to stack exhaustion2020-09-18
CVE-2020-6205 — Cross-site Scripting | cvebase