CVE-2022-26101 - Fiori Launchpad XSS Vulnerability in Versions 754, 755, 756 – How It Works and How to Stay Safe

In early 2022, a concerning security issue was discovered in SAP’s Fiori Launchpad. Tracked as CVE-2022-26101, this flaw allows attackers to inject JavaScript code into Fiori applications, putting your SAP environment and sensitive data at risk. In this post, we’ll break down what this vulnerability is, show code samples, explain how it can be exploited, and guide you on how to secure your landscape.

What is CVE-2022-26101?

CVE-2022-26101 is a Cross-Site Scripting (XSS) vulnerability affecting Fiori Launchpad in SAP NetWeaver UI Add-On for SAP NetWeaver ABAP, specifically in versions 754, 755, and 756. The problem is that Fiori Launchpad does not encode user-controlled inputs well enough, letting hackers slip malicious scripts into the web pages.

Where Does the Vulnerability Happen?

The vulnerability lurks in the way Fiori Launchpad handles user input in certain URL parameters or input fields. If input is displayed back to the user without proper sanitizing, it lets attackers inject malicious JavaScript.

Example Vulnerable Parameter:  
Some Fiori apps use the URL parameter sap-ui-app or user-controlled fields that are echoed to the page.

Here’s a simplified scenario

* An attacker sends a specially crafted URL to a user or plants it in a shared document.
* The link contains a malicious script in a vulnerable parameter.
* When the victim opens the link in the browser, the script runs and can steal session cookies, redirect to phishing pages, or cause other damage.

Example Exploit URL

https://your-fiori-server/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-ui-app=<script>alert('XSS')</script>;

What happens?
If the platform doesn’t sanitize this input, the JavaScript code (alert('XSS')) is executed in the user’s browser.

Here’s a simplified example using JavaScript to show how unsafe input handling creates the problem

// BAD: Directly using user input in HTML
var userInput = getParameterByName('sap-ui-app'); // e.g. from the URL
document.getElementById('appContainer').innerHTML = userInput;

If a user visits

?sap-ui-app=<img src="x" onerror="alert('XSS')">

The script in onerror will run.

SAP released a patch for this vulnerability. Details can be found here

- SAP Security Patch Day – March 2022
- NIST NVD Record for CVE-2022-26101

Apply SAP’s Patch.

Install the fix as soon as possible. The patch ensures all user input is properly encoded or sanitized.

`javascript

// GOOD: Escape input

- Test Fiori Launchpad with a payload like

  <script>alert('test')</script>
  

- If the alert box shows up, your system may be vulnerable. Contact your SAP Basis or security team ASAP!

Conclusion

CVE-2022-26101 is a real threat to SAP Fiori Launchpad deployments using older versions. XSS can open the door to major attacks. Patch now, educate your teams, and always handle user input as untrusted.

More Reading

- SAP Note 3131047 (Login required)
- NVD Entry for CVE-2022-26101
- OWASP XSS Cheatsheet

Stay safe – keep Fiori patched and your users protected!

Timeline

Published on: 03/10/2022 17:47:00 UTC
Last modified on: 06/21/2022 22:15:00 UTC