Correction with medium priority
Release Status
Released for Customer
EP-PIN-WPC ( Web Page Composer )
SAP Security Note
Master Language
Program error
Released On

Please find the original document at 3211760


A vulnerability in SAP NW EP WPC which does not sufficiently validate user-controlled input allows a remote attacker to conduct a cross- site scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session.

Other Terms

XSS, reflected XSS, CSS, CVE-2022-35227

Reason and Prerequisites

Additional information is not needed in order to be able to exploit this vulnerability.


The vulnerability is fixed with modifications in the SAP NW EP WPC. The actual text that was reflected to the screen is no longer reflected at all. This fix can be applied in the patches listed in the “Support Packages & Patches” section below.


CVSS v3.0 Base Score:6.1 /10

CVSS v3.0 Base Vector:

Name Value
Attack Vector (AV) Network (N)
Attack Complexity (AC) Low (L)
Privileges Required (PR) None (N)
User Interaction (UI) Required (R)
Scope (S) Changed (C)
Confidentiality Impact (C) Low (L)
Integrity Impact (I) Low (L)
Availability Impact (A) None (N)

SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note.
This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP Security Note. For more information, see the FAQ section at

Software Components

Software Component Release
EP-WPC 7.30 – 7.30
EP-WPC 7.31 – 7.31
EP-WPC 7.40 – 7.40
EP-WPC 7.50 – 7.50

Support Package Patches

Software Component Version Support Package Patch Level
EP WEB PAGE COMPOSER 7.50 SP026 000000
EP WEB PAGE COMPOSER 7.50 SP025 000000
EP WEB PAGE COMPOSER 7.31 SP028 000002
EP WEB PAGE COMPOSER 7.30 SP021 000002
EP WEB PAGE COMPOSER 7.50 SP021 000001
EP WEB PAGE COMPOSER 7.50 SP022 000002
EP WEB PAGE COMPOSER 7.50 SP023 000002
EP WEB PAGE COMPOSER 7.50 SP024 000001
EP WEB PAGE COMPOSER 7.40 SP023 000002
EP WEB PAGE COMPOSER 7.50 SP019 000001
EP WEB PAGE COMPOSER 7.50 SP020 000001