CVE-2020-6319
MEDIUMSAP NetWeaver Application Server Java -7.10-7.50 - XSS
Title source: llmDescription
SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authentication information of the user, such as data relating to his or her current session and limitedly impact confidentiality and integrity of the application, leading to Reflected Cross Site Scripting.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2956398
Scores
CVSS v3
6.1
EPSS
0.0032
EPSS Percentile
55.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (7)
sap/netweaver_application_server_java
7.10
sap/netweaver_application_server_java
7.11
sap/netweaver_application_server_java
7.20
sap/netweaver_application_server_java
7.30
sap/netweaver_application_server_java
7.31
sap/netweaver_application_server_java
7.40
sap/netweaver_application_server_java
7.50
Published
Oct 15, 2020
Tracked Since
Feb 18, 2026