// For flags

CVE-2020-26825

 

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. Information maintained in the victim's web browser can be read, modified, and sent to the attacker. The malicious code cannot significantly impact the victim's browser and the victim can easily close the browser tab to terminate it.

SAP Fiori Launchpad (News tile Application), versiones - 750,751,752,753,754,755, permite a un atacante no autorizado usar SAP Fiori Launchpad News tile Application para enviar código malicioso hacia un usuario final diferente (víctima), porque el mosaico News no codifica suficientemente las entradas controladas por el usuario. Resultando en la vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado. La información que se mantiene en el navegador web de la víctima puede ser leída, modificada y enviada al atacante. El código malicioso no puede afectar significativamente el navegador de la víctima y la víctima puede cerrar fácilmente la pestaña del navegador para finalizarlo

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-10-07 CVE Reserved
  • 2020-11-13 CVE Published
  • 2023-07-30 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 2020-11-24
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sap
Search vendor "Sap"
 Fiori Launchpad \(news Tile Application\)
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)"
 750
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)" and version "750"
-
Affected
Sap
Search vendor "Sap"
 Fiori Launchpad \(news Tile Application\)
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)"
 751
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)" and version "751"
-
Affected
Sap
Search vendor "Sap"
 Fiori Launchpad \(news Tile Application\)
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)"
 752
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)" and version "752"
-
Affected
Sap
Search vendor "Sap"
 Fiori Launchpad \(news Tile Application\)
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)"
 753
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)" and version "753"
-
Affected
Sap
Search vendor "Sap"
 Fiori Launchpad \(news Tile Application\)
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)"
 754
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)" and version "754"
-
Affected
Sap
Search vendor "Sap"
 Fiori Launchpad \(news Tile Application\)
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)"
 755
Search vendor "Sap" for product "Fiori Launchpad \(news Tile Application\)" and version "755"
-
Affected