Cross-Site Scripting Vulnerability in SAP NetWeaver DTR
CVE-2020-6370

4.8MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver (di Design Time Repository)
Vendor: CVE Published:; 20 October 2020

Summary

The SAP NetWeaver Design Time Repository (DTR) has a vulnerability that arises from inadequate encoding of user-controlled inputs. This allows malicious actors to inject and execute arbitrary scripts in the context of unsuspecting users' browsers. As a result, compromised sessions and theft of sensitive information can occur, highlighting the importance of applying security updates and ensuring input validation across all affected versions.

Affected Version(s)

SAP NetWeaver (DI Design Time Repository) < 7.11 < 7.11

SAP NetWeaver (DI Design Time Repository) < 7.30 < 7.30

SAP NetWeaver (DI Design Time Repository) < 7.31 < 7.31

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/2939419

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 20, 2020
Vulnerability Reserved
Jan 8, 2020