CVE-2020-6283

CVSS 4.8 MEDIUMEPSS 0.7%

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.8EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 Sep 2020Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session.

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Affected products

SAP SE · SAP Fiori(Launchpad)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://launchpad.support.sap.com/#/notes/2865229 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700