CVE-2020-6283

4.8MEDIUM

Key Information:

Vendor: SAP
Status: SAP Fiori(launcHPad)
Vendor: CVE Published:; 9 September 2020

Summary

SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session.

Affected Version(s)

SAP Fiori(Launchpad) < 750 < 750

SAP Fiori(Launchpad) < 752 < 752

SAP Fiori(Launchpad) < 753 < 753

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/2865229

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 9, 2020
Vulnerability Reserved
Jan 8, 2020