usd-2023-0017 | XSS in SAP Partner Portal

Advisory ID: usd-2023-0017
Product: SAP Partner Portal
Vulnerability Type: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: HIGH
Vendor URL:
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: Not assigned
CVE Link: Not assigned


In cases where users do not have sufficient permissions to view a specific URL within the SAP Partner Portal they are redirected to an error page.
During this redirection the requested URL is passed to the error page as a URL parameter and embedded into the error message without any filtering or encoding.

Therefore it is possible to include HTML-Tags and JavaScript in the URL, making it possible for malicious actors to launch XSS attacks.

Proof of Concept

A proof of concept JavaScript-Alert-Box is shown with this URL:


Filter and encode user input before embedding it into error messages.



  • 2023-04-25: The vulnerability was identified by Nicolas Schickert.
  • 2023-04-28: The responsible disclosure team submits vulnerability details via
  • 2023-05-11: XSS vulnerability was patched and confirmed to be fixed after a restest by Nicolas Schickert. However, some HTML-Tags still were not properly encoded, even though XSS was no longer possible.
  • 2023-06-06: A Proof-of-Concept for inserting HTML Tags was sent to the SAP Security Team.
  • 2023-06-12: SAP reports that the vulnerability is fixed and the reflected URL is now properly sanitized.
  • 2023-09-25: Security advisory released by usd AG.


This security vulnerability was identified by Nicolas Schickert of usd AG.