Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

CVE-2020-6324 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Test Application), SAP security note 2948239

Description

BSP Test Application sbspext_table allows an unauthenticated attacker to send polluted URL to the victim, hence allowing Reflected Cross site scripting.

Information available in the victim’s web browser can be read, modified, and sent to the attacker. No sensitive data is disclosed to the attacker as the attack is possible only in test application and service disruption is not possible as part of the impacts.

Available fix and Supported packages

  • SAP_BASIS | 700 | 702
  • SAP_BASIS | 730 | 730
  • SAP_BASIS | 731 | 731
  • SAP_BASIS | 740 | 740
  • SAP_BASIS | 750 | 755
  • SAP_BASIS 700 | SAPKB70038 |
  • SAP_BASIS 701 | SAPKB70123 |
  • SAP_BASIS 702 | SAPKB70223 |
  • SAP_BASIS 730 | SAPKB73021 |
  • SAP_BASIS 751 | SAPK-75111INSAPBASIS |
  • SAP_BASIS 752 | SAPK-75207INSAPBASIS |
  • SAP_BASIS 753 | SAPK-75305INSAPBASIS |
  • SAP_BASIS 754 | SAPK-75403INSAPBASIS |
  • | SAPK-782BHINSAPBASIS |
  • SAP_BASIS 731 | SAPKB73128 |
  • SAP_BASIS 740 | SAPKB74025 |
  • SAP_BASIS 755 | SAPK-75501INSAPBASIS |
  • SAP_BASIS 750 | SAPK-75020INSAPBASIS |

Affected component

    BC-BSP
    Business Server Pages

CVSS

Score: 6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2948239

TAGS

#CSS
#Reflected-XSS
#XSS
#&160-CVE-2020-6324

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.