CVE-2020-6283
MEDIUMSAP Fiori Launchpad - Reflected Cross-Site Scripting via Meta Tag Injection
Title source: llmDescription
SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2865229
Scores
CVSS v3
6.1
EPSS
0.0036
EPSS Percentile
58.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (5)
sap/fiori_launchpad
750
sap/fiori_launchpad
752
sap/fiori_launchpad
753
sap/fiori_launchpad
754
sap/fiori_launchpad
755
Published
Sep 09, 2020
Tracked Since
Feb 18, 2026