Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse, SAP security note 3102769


A security vulnerability has been discovered in the SAP Knowledge Warehouse (SAP KW). The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.

XSS,reflected XSS, CSS, KM-KW, SAP KW, Knowledge Warehouse, security, Web browser, CVE-2021-42063

The displaying component of SAP KW did not sufficiently validate and encode input parameters, resulting in a reflected cross-site scripting issue.

Important: The security breach might also occur if you do not actively use the displaying component of SAP KW at all. Simply the existence of the component on your landscape is sufficient.

With this correction the parameters will be properly validated and encoded to prevent a successful XSS attack.

Implement the Support Packages and Patches referenced by this SAP Note.


In case that you cannot implement the patch, you have two options for workaround:

Option 1: You may disable the vulnerable application following the documentation in “Config Tool Adding Filters – SAP Help Portal” ( ‘Component Name Mask’ parameter should be set as tc~km_tc*, ‘Vendor Mask’ Parameter – .

Option 2: In case the requests are routed via SAP Web Dispatcher you may add a rewrite rule to SAP Web Dispatcher to prevent from redirects.

Add the following rewrite rule to your Web Dispatcher configuration.

RegIForbiddenUrl ^/path/of/java/app.* –

If there is an existing icm/HTTP/mod_ = PREFIX=/, FILE=<…> in your setup:

  1. Add the new rule (above) to your existing rule file.
  2. Restart the Web Dispatcher or reload the file using the Web Administration UI.


  1. Create a new file on the file system (for example in the profile directory) and enter the role above in that file.
  2. Add a new parameter icm/HTTP/mod_0 = PREFIX=/, FILE=.
  3. Restart the Web Dispatcher.

See the documentation for more details about request rewriting “Modification of HTTP Requests – SAP Help” (

Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends that you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.


Available fix and Supported packages


Affected component





Exploit is not available.
For detailed information please contact the mail [email protected].



XSS, reflected XSS, CSS, KM-KW, SAP KW, Knowledge Warehouse, security, Web browser, CVE-2021-42063

Request more details about the vulnerability

More to explorer

SAP Security For All

RedRays Security Platform for Penetration testers and Bug hunters

The product package is specifically created for cyber security experts who have encountered SAP while participating in bug bounty programs.

RedRays Security Platform for SAP Consultants

The product package is designed for SAP consultants conducting security assessments of SAP ERP systems. We provide essential tools and resources to help professionals in this field conduct their work effectively.

RedRays Security Platform for Enterprises

The product package is specifically optimized to cater to the needs of both small/medium and large companies who are seeking to streamline the process of organizing a comprehensive security system for ERP systems.