• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1490335

Главная Специалистам База уязвимостей Не установлено обновление Note 1490335

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1490335-5) SAP Support Packages (J2EE_ENGINE_APPLICATIONS_710_SP004_000002, J2EE_ENGINE_APPLICATIONS_710_SP005_000009, J2EE_ENGINE_APPLICATIONS_710_SP006_000004, J2EE_ENGINE_APPLICATIONS_710_SP007_000003, J2EE_ENGINE_APPLICATIONS_710_SP008_000003, J2EE_ENGINE_APPLICATIONS_710_SP009_000003, J2EE_ENGINE_APPLICATIONS_710_SP010_000002, J2EE_ENGINE_APPLICATIONS_710_SP999999_999999, J2EE_ENGINE_APPLICATIONS_711_SP001_000007, J2EE_ENGINE_APPLICATIONS_711_SP002_000006, J2EE_ENGINE_APPLICATIONS_711_SP003_000009, J2EE_ENGINE_APPLICATIONS_711_SP004_000006, J2EE_ENGINE_APPLICATIONS_711_SP005_000004, J2EE_ENGINE_APPLICATIONS_711_SP999999_999999, J2EE_ENGINE_APPLICATIONS_720_SP001_000005, J2EE_ENGINE_APPLICATIONS_720_SP002_000004, J2EE_ENGINE_APPLICATIONS_720_SP003_000001, J2EE_ENGINE_APPLICATIONS_720_SP999999_999999, J2EE_ENGINE_APPLICATIONS_730_SP000_000000, J2EE_ENGINE_APPLICATIONS_730_SP999999_999999, SAP_J2EE_ENGINE_640_SP024_000004, SAP_J2EE_ENGINE_640_SP025_000008, SAP_J2EE_ENGINE_640_SP026_000006, SAP_J2EE_ENGINE_640_SP999999_999999, SAP_JAVA_TECH_SERVICES_700_SP018_000019, SAP_JAVA_TECH_SERVICES_700_SP019_000019, SAP_JAVA_TECH_SERVICES_700_SP020_000017, SAP_JAVA_TECH_SERVICES_700_SP021_000012, SAP_JAVA_TECH_SERVICES_700_SP022_000004, SAP_JAVA_TECH_SERVICES_700_SP999999_999999, SAP_JAVA_TECH_SERVICES_701_SP003_000016, SAP_JAVA_TECH_SERVICES_701_SP004_000023, SAP_JAVA_TECH_SERVICES_701_SP005_000017, SAP_JAVA_TECH_SERVICES_701_SP006_000011, SAP_JAVA_TECH_SERVICES_701_SP007_000002, SAP_JAVA_TECH_SERVICES_701_SP999999_999999, SAP_JAVA_TECH_SERVICES_702_SP003_000006, SAP_JAVA_TECH_SERVICES_702_SP004_000003, SAP_JAVA_TECH_SERVICES_702_SP999999_999999)
Описание
Since the JavaServer Pages (JSPs) do not perform a sufficient input  validation and encoding of outputs in the administration of the XML data  archiving services (XML DAS), a reflected cross-site scripting can be  triggered. As a result, the content of a Web page can be manipulated when a manipulated link is called, for example.
An attacker can use reflected cross-site scripting to steal the logon  information of the current session of the victim. The attacker can then  use this information to pretend to the server that he is the victim and  can use the application with the same rights as the user who was attacked.
If the target of the attack is a user with administrative rights, all of the application data may be comprised as a result.
Как исправить
A comprehensive input validation and encoding the outputs of the JSPs in the administration of the XML data archiving services (XML DAS) ensures that this problem is solved.
Ссылки