CVE-2020-6254

Published: May 12, 2020Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

SAP Enterprise Threat Detection, versions 1.0, 2.0, does not sufficiently encode error response pages in case of errors, allowing XSS payload reflecting in the response, leading to reflected Cross Site Scripting.

Affected (2)

Products: Sap: Enterprise Threat Detection

Sap

1 product

Enterprise Threat Detection

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sap Enterprise Threat Detection	Version 1.0
Sap Enterprise Threat Detection	Version 2.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://launchpad.support.sap.com/#/notes/2913293

Source: cna@sap.com

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222

Source: cna@sap.com

Vendor Advisory

https://launchpad.support.sap.com/#/notes/2913293

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.