CVE-2020-26825

Name of the Vulnerable Software and Affected Versions SAP Fiori Launchpad (News tile Application) versions 750 through 755

Description The issue allows an unauthorized attacker to send malicious code to a different end user (victim) using the SAP Fiori Launchpad News tile Application. This is due to the News tile not sufficiently encoding user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS) issue. Information maintained in the victim's web browser can be read, modified, and sent to the attacker. However, the malicious code cannot significantly impact the victim's browser, and the victim can easily close the browser tab to terminate it.

Recommendations For versions 750 through 755, consider disabling the News tile Application until a patch is available to prevent the exploitation of the Reflected Cross-Site Scripting (XSS) issue. Restrict access to the News tile to minimize the risk of exploitation. Avoid using user-controlled inputs in the News tile Application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.