Description
Symptom
SAP Enterprise Threat Detection (ETD) does not sufficiently encode user-controlled inputs which may lead to an unauthorized attacker possibly exploit a XSS vulnerability. The UIs in ETD are using SAP UI5 standard controls, the UI5 framework provides automated output encoding for its standard controls. This output encoding prevents stored malicious user input from being executed when it is reflected in the UI.
Other Terms
XSS, Reflected XSS, CVE-2022-22529
Reason and Prerequisites
The user controlled inputs were not properly encoded when creating a new investigation, allowing XSS payload reflecting in the response.
Solution
The XSS vulnerability has been fixed by output encoding of the user controlled inputs. The fix has been made available with the Support Packages and Patches referenced by this SAP Security Note.
Available fix and Supported packages
ENTERPRISE THREAT DETECT 2.0|SP003|000006|
ENTERPRISE THREAT DETECT 2.0|SP004|000004|
ENTERPRISE THREAT DETECT 2.0
CVSS
Exploit
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/3124597
TAGS
XSS, Reflected XSS, CVE-2022-22529
