Information just now officially provided as part of the November SAP Patchday describes a new critical vulnerability: The SAP Security Note 2928635 (CVE-2020-6284) is a Cross-Site Scripting vulnerability (XSS) in SAP NetWeaver Knowledge Management. Act now to close the loophole!

 

This vulnerability permits script content to be executed in a stored file due to insufficient filtering in the user access authorizations. When a user with extensive admin permissions accesses this file, execution of a script can threaten your SAP system IT protection objectives of confidentiality, integrity, and availability across the board.

If you take no action, the situation will become critical, as a malicious file can be uploaded and be executed automatically without any authorization check.

Software components affected:

It impacts the following versions of the KMC-CM software component with all Support Packages:

• 7.30
• 7.31
• 7.40
• 7.50

The execution of malicious resources in SAP NetWeaver Knowledge Management is remedied by patching the KMC CONTENT MANAGEMENT software components.

Our tip for you: Be sure to integrate each SAP Note into your SAP systems separately.

Source: https://launchpad.support.sap.com/#/notes/2928635