3211760 – [CVE-2022-35227] Cross-Site Scripting (XSS) vulnerability in SAP NW EP WPC

Please find the original document at https://launchpad.support.sap.com/#/notes/ 3211760

Symptom

A vulnerability in SAP NW EP WPC which does not sufficiently validate user-controlled input allows a remote attacker to conduct a cross- site scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session.

Other Terms

XSS, reflected XSS, CSS, CVE-2022-35227

Reason and Prerequisites

Additional information is not needed in order to be able to exploit this vulnerability.

Solution

The vulnerability is fixed with modifications in the SAP NW EP WPC. The actual text that was reflected to the screen is no longer reflected at all. This fix can be applied in the patches listed in the “Support Packages & Patches” section below.

CVSS

CVSS v3.0 Base Score:6.1 /10

CVSS v3.0 Base Vector:

SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note.
This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP Security Note. For more information, see the FAQ section at https://support.sap.com/securitynotes.

Software Components

Support Package Patches