CVE-2020-6326

SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2953112	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_knowledge_management:7.30:::::::*
	cpe:2.3:a:sap:netweaver_knowledge_management:7.31:::::::*
	cpe:2.3:a:sap:netweaver_knowledge_management:7.40:::::::*
	cpe:2.3:a:sap:netweaver_knowledge_management:7.50:::::::*

History

No history.

Information

Published : 2020-09-09 13:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-6326

Mitre link : CVE-2020-6326

CVE.ORG link : CVE-2020-6326

JSON object : View

Products Affected

sap

netweaver_knowledge_management

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-6326", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2020-09-09T13:15:12.520", "references": [{"url": "https://launchpad.support.sap.com/#/notes/2953112", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting."}, {"lang": "es", "value": "SAP NetWeaver (Knowledge Management), versi\u00f3n-7.30,7.31,7.40,7.50, permite a un atacante autenticado crear enlaces maliciosos en la Interfaz de Usuario, cuando la v\u00edctima haga clic en \u00e9l, ejecutar\u00e1 scripts java arbitrarios, extrayendo o modificando informaci\u00f3n que de otro modo estar\u00eda restringida conllevando a una vulnerabilidad de tipo Cross Site Scripting Almacenado."}], "lastModified": "2020-09-14T17:49:25.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69E7BD55-6020-4CF5-9B1C-AAC6161403E0"}, {"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6A9823F-8736-44E1-8F51-7149236A85C2"}, {"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67365283-2C5E-448E-A9F7-8AA033B57F67"}, {"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95298857-D440-4323-ACAE-A1097DBC5C13"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}