CVE-2020-6284
📋 TL;DR
CVE-2020-6284 is a stored cross-site scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management that allows automatic execution of malicious scripts in stored files due to inadequate filtering. Attackers can inject scripts that execute with the victim's privileges, potentially leading to complete system compromise if the victim has administrative access. This affects SAP NetWeaver versions 7.30, 7.31, 7.40, and 7.50.
💻 Affected Systems
- SAP NetWeaver Knowledge Management
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of system confidentiality, integrity, and availability through administrative privilege escalation, potentially leading to data theft, system takeover, or ransomware deployment.
Likely Case
Session hijacking, credential theft, or privilege escalation leading to unauthorized access to sensitive business data and systems.
If Mitigated
Limited impact to non-administrative users with proper input validation and output encoding controls in place.
🎯 Exploit Status
Exploitation requires user interaction (accessing malicious content) but is straightforward once initial script injection is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 2928635
Vendor Advisory: https://launchpad.support.sap.com/#/notes/2928635
Restart Required: Yes
Instructions:
1. Download SAP Note 2928635 from SAP Support Portal. 2. Apply the security patch using SAP's standard patching procedures. 3. Restart affected SAP systems. 4. Verify patch application through transaction SNOTE.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement strict input validation and output encoding for all user-controlled content in Knowledge Management.
Access Restriction
allRestrict access to Knowledge Management components to only authorized users and implement Content Security Policy (CSP) headers.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads targeting Knowledge Management endpoints.
- Disable or restrict access to Knowledge Management functionality if not business-critical, and implement strict user privilege management.
🔍 How to Verify
Check if Vulnerable:
Check if SAP NetWeaver version is 7.30, 7.31, 7.40, or 7.50 with Knowledge Management component installed and SAP Note 2928635 not applied.Check Version:
Execute transaction SM51 or check system information in SAP GUI.Verify Fix Applied:
Verify SAP Note 2928635 is applied using transaction SNOTE and test Knowledge Management functionality for script execution.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Knowledge Management, suspicious script tags in stored content, unexpected administrative actions
Network Indicators:
- HTTP requests containing script payloads to Knowledge Management endpoints, unusual outbound connections from SAP systems
SIEM Query:
source="sap_audit_logs" AND (event="file_upload" OR event="script_execution") AND component="Knowledge Management"