Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1505302-3)
SAP Support Packages
(SAPKH50024, SAPKH50025, SAPKH60019, SAPKH60209, SAPKH60308, SAPKH60409, SAPKH60503, SAPKH60504)
Описание
The two BSP applications of the Purchasing Agent role execute certain functions through referencing specific URLs. When an attacker tricks an authenticated user#s browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
Please do the following steps (Steps 3 and 4 are only relevant for SAP_APPL release 604 and below).
1. Refer to note 1520324 for additional information and instructions. The corrections from note 1520324 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report BSP_XSRF_PARAM_MM_PUR in your system.
3. Execute the report BSP_XSRF_PARAM_MM_PUR and specify when requested a corresponding transport request number. The report will fill the database table BSPTEMPXSRFSTORE with corresponding entries for the BSP applications adapted by this note.
1. Refer to note 1520324 for additional information and instructions. The corrections from note 1520324 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report BSP_XSRF_PARAM_MM_PUR in your system.
3. Execute the report BSP_XSRF_PARAM_MM_PUR and specify when requested a corresponding transport request number. The report will fill the database table BSPTEMPXSRFSTORE with corresponding entries for the BSP applications adapted by this note.
Ссылки