1
0129, 193 PM 3283283 - [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NelWeaver AS for ABAP and ABAP Platform
SP” SAP Security Note
3283283 - [CVE-2023-0013] Cross-Site
Scripting (XSS) vulnerability in SAP
NetWeaver AS for ABAP and ABAP Platform
Component: BC-ABA-LA (Syntax, Compiler, Runtime), Version: 5, Released On: 10.01.2023
| Symptom
‘The ABAP Keyword Documentation of SAP NetWeaver Application Server for ABAP and ABAP Platform does
not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On
successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application
| Other Terms
XSS, reflected XSS, CSS, CVE-2023-0013 (https:/iwww.cve.org/CVERecord?id=CVE-2023-0013)
| Reason and Prerequisites
The URL for the web version of the ABAP keyword documentation is not sufficiently protected against illegal
path extensions. Such path extensions are possible since Internet Communication Framework allows longer
URLs than necessary for the ABAP Keyword Documentation.
| Solution
By this correction invalid path specifications are rejected
Please implement the Support Package mentioned in this SAP Note or the respective correction instruction
| Manual Activities
| cvss
CVSS Score : 6.1
CVSS Vector : CVSS:3.0/AV:N/AC:LIPR:N/UL-R/S:C/C:LIL:LIA:N
‘Attack Vector (AV) Network (N)
‘Attack Complexity (AC) Low (L)
hitps:luserapps support sap.com/sap/supportisfm/notes/prinv0003283283 language=EBtoke
-9AZETDAICIBAFC19997 7601269953 1‘vs8i29, 1.93 PM 3283283 - [CVE-2023-0013] Cross-Site Scripting (KSS) vulnerablily in SAP NelWeaver AS for ABAP and ABAP Platform
Privileges Required (PR)
User Interaction (UI)
‘Scope (S)
Confidentiality Impact (C)
Integrity Impact (I)
Availabilty Impact (A)
None (N)
Required (R)
Changed (C)
Low (L)
Low (L)
None (N)
SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note
This estimate does not take into account your own system configuration or operational environment. Itis not
intended to replace any risk assessments you are advised to conduct when deciding on the applicability or
priority of this SAP security note. For more information, see the FAQ section at
https://support sap.com/securitynotes (https:/support sap.com/securitynotes)
| Attributes
Key
Externally Reported
| Software Components
Software Component
‘SAP_BASIS
SAP_BASIS
SAP_BASIS
SAP_BASIS
| Correction Instructions
Software Component
‘SAP_BASIS
{(https://launchpad support sap. com#/corrins/0003283283/41)
hitpsluserapps.suppart sap.com/saplsupportisfminotes/rinv00032832832Ianguage-EBtoken=
Value
Yes
And subsequent
Number of Correct
Instructions
"
(COAZETDAICIBAFC1999776012E9953 28‘vs8r29, 1.93 PM
Software
Component
SAP_BASIS
SAP_BASIS
SAP_BASIS
SAP_BASIS
| Prerequisites
From To SAP Note/KBA Title Component
750
751
752
753
750 2996479 [CVE-2020-26835] Cross-Site BC-ABA-LA
(Isap/supportinotes/2996479 ) Scripting (XSS) vulnerability in
SAP NetWeaver AS ABAP
751 2996479 [CVE-2020-26835] Cross-Site BC-ABA-LA
(/sap/supportinotes/2996479 ) Scripting (XSS) vulnerability in
SAP NetWeaver AS ABAP.
752 2996479 [CVE-2020-26835] Cross-Site BC-ABA-LA
(/sap/supportinotes/2996479 ) Scripting (XSS) vulnerability in
SAP NetWeaver AS ABAP
753 2996479 [CVE-2020-26835] Cross-Site BC-ABA-LA
(/sap/supportinotes/2996479 ) Scripting (XSS) vulnerability in
SAP NetWeaver AS ABAP
| Support Package
Software
Component
Version
SAP_BASIS 702
‘SAP_BASIS 731
SAP_BASIS 740
SAP_BASIS 750
SAP_BASIS 751
SAP_BASIS 752
SAP_BASIS 753,
‘SAP_BASIS 754
SAP_BASIS 755
SAP_BASIS 756
SAP_BASIS 757
hitpsluserapps support sap.com/sap/supportistm/notes/prinv00032832832language-EBtoke
‘Support Package
‘SAPKB70226 (https:/flaunchpad.support.sap. com/#t/supportpackage/SAPKB70226)
‘SAPKB73133 (https:/aunchpad.support.sap.com/#/supportpackage/SAPKB73133)
‘SAPKB74030 (https:/launchpad. support sap. com/#/supportpackage/SAPKB74030)
‘SAPK-75027INSAPBASIS
(https:/Maunchpad.support.sap.com/#/supportpackage/SAPK-75027INSAPBASIS)
SAPK-75116INSAPBASIS
(https:/aunchpad.support.sap.com/#/supportpackage/SAPK-75116INSAPBASIS)
SAPK-75212INSAPBASIS
(https:/taunchpad.support.sap.com/#/supportpackage/SAPK-75212INSAPBASIS)
SAPK-75310INSAPBASIS
(https:/aunchpad.support.sap.com/#/supportpackage/SAPK-75310INSAPBASIS)
‘SAPK-75408INSAPBASIS
(https:/aunchpad.support.sap.com/#/supportpackage/SAPK-75408INSAPBASIS)
‘SAPK-75506INSAPBASIS
(https:/launchpad.support.sap.com/#/supportpackage/SAPK-75506INSAPBASIS)
‘SAPK-75604INSAPBASIS
(https:/aunchpad.support sap.com/#/supportpackage/SAPK-75604INSAPBASIS)
‘SAPK-75702INSAPBASIS
(https:/launchpad.support sap.com/##/supportpackage/SAPK-75702INSAPBASIS)
-9AZETDAICIBAFC19997 7601269953
aia| This document is referenced by
SAP Note/KBA Title
0
hitpsluserapps.suppart sap.com/saplsupportisfminotes/rinv00032832832Ianguage-EBtoken=
(COAZETDAICIBAFC1999776012E9953 as