CVE-2020-6365 : SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Star

SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victim or to redirect users to untrusted web pages containing malware or similar malicious exploits.

Published 2020-10-15 03:15:12

Updated 2021-04-12 14:21:58

Source SAP SE

View at NVD, CVE.org

Vulnerability category: Open redirect

Products affected by CVE-2020-6365

SAP » Netweaver Application Server Java » Version: 7.50
cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Java » Version: 7.40
cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Java » Version: 7.30
cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Java » Version: 7.20
cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Java » Version: 7.31
cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Java » Version: 7.10
cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver Application Server Java » Version: 7.11
cpe:2.3:a:sap:netweaver_application_server_java:7.11:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-6365

EPSS FAQ

0.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-6365

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
4.7	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N	2.8	1.4	SAP SE
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: None Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-6365

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-6365

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196

SAP Security Patch Day – October 2020 - Product Security Response at SAP - Community Wiki
Vendor Advisory

CVEs referencing this url
https://launchpad.support.sap.com/#/notes/2969828

SAP ONE Support Launchpad: Log On
Permissions Required;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-6365

Products affected by CVE-2020-6365

Exploit prediction scoring system (EPSS) score for CVE-2020-6365

CVSS scores for CVE-2020-6365

CWE ids for CVE-2020-6365

References for CVE-2020-6365