Vulnerability Name: CVE-2020-6246 (CCN-183302) Assigned: 2020-06-09 Published: 2020-06-09 Updated: 2020-06-16 Summary: SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_TABLE, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. CVSS v3 Severity: 6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Cross-Site Scripting References: Source: MITRECVE-2020-6246 sap-cve20206246-xss(183302) SAP Support Note 2878935 https://launchpad.support.sap.com/#/notes/2878935 SAP Security Patch Day June 2020 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 Vulnerable Configuration: Configuration 1 :cpe:/a:sap:netweaver_as_abap_business_server_pages:700:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:701:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:702:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:730:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:740:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:751:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:753:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap_business_server_pages:754:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:sap:netweaver_as_abap:700:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:730:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:753:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:754:*:*:*:*:*:*:* BACK
sap netweaver as abap business server pages 700
sap netweaver as abap business server pages 701
sap netweaver as abap business server pages 702
sap netweaver as abap business server pages 730
sap netweaver as abap business server pages 731
sap netweaver as abap business server pages 740
sap netweaver as abap business server pages 750
sap netweaver as abap business server pages 751
sap netweaver as abap business server pages 752
sap netweaver as abap business server pages 753
sap netweaver as abap business server pages 754
sap netweaver as abap 700
sap netweaver as abap 730
sap netweaver as abap 731
sap netweaver as abap 750
sap netweaver as abap 752
sap netweaver as abap 753
sap netweaver as abap 754
Denotes that component is vulnerable