SAP NW KW XSS vulnerability (CVE-2021-42063)
Description
SAP NetWeaver Knowledge Warehouse (versions up to 7.50) contains a reflected cross-site scripting (XSS) vulnerability in the SAPIrExtHelp endpoint. This endpoint fails to properly sanitize user-supplied input before rendering it in the browser, allowing attackers to inject malicious scripts into the application's responses.
Remediation
Apply the appropriate SAP security patches for your SAP NetWeaver Knowledge Warehouse version to address CVE-2021-42063. Consult the SAP Security Patch Day announcements and the references provided for specific patch details.
For organizations unable to immediately apply patches, implement the following compensating controls:
1. Configure web application firewalls (WAF) to detect and block XSS attack patterns targeting the SAPIrExtHelp endpoint
2. Implement Content Security Policy (CSP) headers to restrict script execution to trusted sources
3. Educate users to avoid clicking on untrusted links to SAP applications
For development teams maintaining custom SAP applications, ensure all user input is properly encoded before being rendered in HTML contexts. Use SAP's built-in encoding functions or implement output encoding following OWASP guidelines:
// Example: Proper output encoding in ABAP DATA(lv_user_input) = cl_abap_dyn_prg=>escape_xss( iv_input = user_parameter ). WRITE lv_user_input.
Verify the fix by testing that the SAPIrExtHelp endpoint properly encodes special characters such as <, >, ", ', and & in all user-controllable parameters.