CVE-2020-6323: XSS
First published: Thu Oct 15 2020(Updated: )
SAP NetWeaver Enterprise Portal (Fiori Framework Page) versions - 7.50, 7.31, 7.40, does not sufficiently encode user-controlled inputs and allows an attacker on a valid session to create an XSS that will be both reflected immediately and also be persisted and returned in further access to the system, resulting in Cross Site Scripting.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP NetWeaver Enterprise Portal | =7.31 | |
| SAP NetWeaver Enterprise Portal | =7.40 | |
| SAP NetWeaver Enterprise Portal | =7.50 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the CVE ID for this vulnerability?
The CVE ID for this vulnerability is CVE-2020-6323.
What is the severity of CVE-2020-6323?
The severity of CVE-2020-6323 is medium (6.1).
Which versions of SAP NetWeaver Enterprise Portal are affected?
SAP NetWeaver Enterprise Portal versions 7.31, 7.40, and 7.50 are affected.
How does this vulnerability affect SAP NetWeaver Enterprise Portal?
This vulnerability allows an attacker with a valid session to create a reflected and persisted XSS attack.
How can I fix CVE-2020-6323?
To fix CVE-2020-6323, apply the recommended patches provided by SAP and follow the guidelines mentioned in the SAP notes referenced in the vulnerability details.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/sap
- canonical/sap netweaver enterprise portal
- version/sap netweaver enterprise portal/7.31
- version/sap netweaver enterprise portal/7.40
- version/sap netweaver enterprise portal/7.50