CVE-2020-6283

EPSS 0.36%
Published 09.09.2020 13:15:11
Last modified 21.11.2024 05:35:26
Source cna@sap.com
Teams watchlist Login
Open Login

SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Fiori Launchpad Version750

SAP ≫ Fiori Launchpad Version752

SAP ≫ Fiori Launchpad Version753

SAP ≫ Fiori Launchpad Version754

SAP ≫ Fiori Launchpad Version755

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.36%	0.553

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
cna@sap.com	4.8	1.7	2.7	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://launchpad.support.sap.com/#/notes/2865229

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-6283

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-6283

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-6283

EUVD