Skip links

CVE-2020-6367 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework, SAP security note 2972661

Description

There is a Reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end user’s browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified.

Available fix and Supported packages

  • CAF | 7.20 | 7.20
  • CAF | 7.30 | 7.30
  • CAF | 7.31 | 7.31
  • CAF | 7.40 | 7.40
  • CAF | 7.50 | 7.50
  • SAP CAF 7.20 | SP009 | 000004
  • SAP CAF 7.30 | SP019 | 000001
  • SAP CAF 7.30 | SP020 | 000001
  • SAP CAF 7.30 | SP021 | 000000
  • SAP CAF 7.31 | SP024 | 000001
  • SAP CAF 7.31 | SP025 | 000001
  • SAP CAF 7.31 | SP026 | 000001
  • SAP CAF 7.31 | SP027 | 000001
  • SAP CAF 7.31 | SP028 | 000000
  • SAP CAF 7.40 | SP019 | 000001
  • SAP CAF 7.40 | SP020 | 000001
  • SAP CAF 7.40 | SP021 | 000001
  • SAP CAF 7.40 | SP022 | 000001
  • SAP CAF 7.40 | SP023 | 000000
  • SAP CAF 7.50 | SP014 | 000001
  • SAP CAF 7.50 | SP015 | 000001
  • SAP CAF 7.50 | SP016 | 000001
  • SAP CAF 7.50 | SP017 | 000001
  • SAP CAF 7.50 | SP018 | 000001
  • SAP CAF 7.50 | SP019 | 000001
  • SAP CAF 7.50 | SP020 | 000000

Affected component

    BC-DWB-JAV-CAF
    Composite Application Framework

CVSS

Score: 8.2
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2972661

TAGS

#&65279-XSS
#&160-CVE-2020-6367
#&160-Reflected-XSS
#CSS&65279