SAP Security Notes, June 2023
Notes 3324285 and 3326210 patch high priority vulnerabilities in SAP UI5. The former applies input validation to block the storage and reading of malicious scripts that could lead to cross-site scripting. The latter introduces additional restrictions to prevent the injection of untrusted CSS that can be exploited to perform clickjacking exploits. Note 3326210 includes a temporary workaround that involves removing the values of the “style” and “class” attributes in the html input of control sap.m.FormattedText and other controls.
Note 3102769 was updated for releases 7.31 and 7.40 of SAP Knowledge Warehouse (KW). The note resolves a high-priority cross-site scripting vulnerability in the Internet Knowledge Servlet (IKS) of KW. A workaround for the vulnerability is detailed in note 3221696. The IKS can be deactivated using the Config Tool. Alternatively, URL filters can be applied using the ICM or Web Dispatcher to block requests to the vulnerable component.
Notes 3319400, 2826092, 3331627 and 3318657 patch cross-site vulnerabilities in SAP BOBJ, CRM, Enterprise Portal, and the Design Time Repository of SAP NetWeaver, respectively.