CVE-2020-6313Cross-site Scripting in SE SAP Netweaver AS Java

CWE-79Cross-site ScriptingCWE-116Improper Encoding or Escaping of OutputCWE-20Improper Input Validation3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 47.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS JavaSAP Netweaver Application Server Java
Timeline
PublishedSep 9
Latest updateMay 24

Description

SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5sap_se/sap_netweaver_as_java< 7.30+3
NVDsap/netweaver_application4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-4xqv-wh6m-q95v: SAP NetWeaver Application Server JAVA(XML Forms) versions 72022-05-24
CVEList
CVE-2020-6313: SAP NetWeaver Application Server JAVA(XML Forms) versions 72020-09-09
CVE-2020-6313 — Cross-site Scripting | cvebase