Information just now officially provided as part of the November SAP Patchday describes a new critical vulnerability: The SAP Security Note 2928635 (CVE-2020-6284) is a Cross-Site Scripting vulnerability (XSS) in SAP NetWeaver Knowledge Management. Act now to close the loophole!
This vulnerability permits script content to be executed in a stored file due to insufficient filtering in the user access authorizations. When a user with extensive admin permissions accesses this file, execution of a script can threaten your SAP system IT protection objectives of confidentiality, integrity, and availability across the board.
If you take no action, the situation will become critical, as a malicious file can be uploaded and be executed automatically without any authorization check.
Software components affected:
It impacts the following versions of the KMC-CM software component with all Support Packages:
- 7.30
- 7.31
- 7.40
- 7.50
The execution of malicious resources in SAP NetWeaver Knowledge Management is remedied by patching the KMC CONTENT MANAGEMENT software components.
Our tip for you: Be sure to integrate each SAP Note into your SAP systems separately.
Source: https://launchpad.support.sap.com/#/notes/2928635