CVE-2020-6283Cross-site Scripting in SE SAP Fiori

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 41.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP FioriSAP Fiori Launchpad
Timeline
PublishedSep 9
Latest updateMay 24

Description

SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDsap/fiori_launchpad5 versions+4
CVEListV5sap_se/sap_fiori< 750+4

🔴Vulnerability Details

2
GHSA
GHSA-g64w-x6g2-6j38: SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad htm2022-05-24
CVEList
CVE-2020-6283: SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad htm2020-09-09
CVE-2020-6283 — Cross-site Scripting in SE SAP Fiori | cvebase