Security XSS vulnerability in ITS 6.20, SAP security note 1385621

Description

ITS 6.20 contains a cross-site scripting (XSS) vulnerability on the login page. If you select a service name that contains specially encoded characters instead of the service name such as WEBGUI, the JavaScript code that is contained in this can be executed in the context of the login page.

Credits to Erwin Paternotte, Fox-IT BV (https://www.fox-it.com) who reported this issue to SAP.

Available fix and Supported packages

BC-FES-ITS | 620 | 620
SAP ITS 6.20 | SP035 | 000035

Affected component

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1385621

Vahagn Vardanian

Security XSS vulnerability in ITS 6.20, SAP security note 1385621

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#XSS
#Cross-Site-Scripting
#security

Explore More

Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild

Securing Your SAP Migration: Integrating RedRays ABAP Security Scanner into DevSecOps Workflows

RedRays ABAP Security Scanner – Transforming SAP Security Through Advanced Code Analysis

SAP Security Patch Day – April 2025

Vahagn Vardanian

Security XSS vulnerability in ITS 6.20, SAP security note 1385621

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#XSS#Cross-Site-Scripting#security

Explore More

Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild

Securing Your SAP Migration: Integrating RedRays ABAP Security Scanner into DevSecOps Workflows

RedRays ABAP Security Scanner – Transforming SAP Security Through Advanced Code Analysis

SAP Security Patch Day – April 2025

Special offer for SAP Security Udemy course!

$ 9.99

#XSS
#Cross-Site-Scripting
#security