SAP Web Application Server products contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability exists due to insufficient input validation of user-supplied input. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious link that is designed to pass attacker-supplied script code to the affected web server. When the user request is processed, the script code may be returned to the affected user in the security context of the affected website. An exploit could allow the attacker to execute arbitrary HTML or script code in the user's browser session.
Proof-of-concept URLs are available to demonstrate the cross-site scripting attack.
SAP has not confirmed this vulnerability and updated software is not available.