Please find the original document at https://launchpad.support.sap.com/#/notes/ 3211760
A vulnerability in SAP NW EP WPC which does not sufficiently validate user-controlled input allows a remote attacker to conduct a cross- site scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session.
XSS, reflected XSS, CSS, CVE-2022-35227
Reason and Prerequisites
Additional information is not needed in order to be able to exploit this vulnerability.
The vulnerability is fixed with modifications in the SAP NW EP WPC. The actual text that was reflected to the screen is no longer reflected at all. This fix can be applied in the patches listed in the “Support Packages & Patches” section below.
CVSS v3.0 Base Score:6.1 /10
CVSS v3.0 Base Vector:
|Attack Vector (AV)||Network (N)|
|Attack Complexity (AC)||Low (L)|
|Privileges Required (PR)||None (N)|
|User Interaction (UI)||Required (R)|
|Scope (S)||Changed (C)|
|Confidentiality Impact (C)||Low (L)|
|Integrity Impact (I)||Low (L)|
|Availability Impact (A)||None (N)|
SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note.
This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP Security Note. For more information, see the FAQ section at https://support.sap.com/securitynotes.
|EP-WPC||7.30 – 7.30|
|EP-WPC||7.31 – 7.31|
|EP-WPC||7.40 – 7.40|
|EP-WPC||7.50 – 7.50|
Support Package Patches
|Software Component Version||Support Package||Patch Level|
|EP WEB PAGE COMPOSER 7.50||SP026||000000|
|EP WEB PAGE COMPOSER 7.50||SP025||000000|
|EP WEB PAGE COMPOSER 7.31||SP028||000002|
|EP WEB PAGE COMPOSER 7.30||SP021||000002|
|EP WEB PAGE COMPOSER 7.50||SP021||000001|
|EP WEB PAGE COMPOSER 7.50||SP022||000002|
|EP WEB PAGE COMPOSER 7.50||SP023||000002|
|EP WEB PAGE COMPOSER 7.50||SP024||000001|
|EP WEB PAGE COMPOSER 7.40||SP023||000002|
|EP WEB PAGE COMPOSER 7.50||SP019||000001|
|EP WEB PAGE COMPOSER 7.50||SP020||000001|